1013 files changed, 42598 insertions, 10170 deletions

diff --git a/Android.common.mk b/Android.common.mk
index c650cb8d3..d33062aa7 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.2.1"
+strongswan_VERSION := "5.3.0"
 
diff --git a/Doxyfile.in b/Doxyfile.in
index 8adf83c7f..eaf02d7de 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -743,7 +743,7 @@ WARN_LOGFILE           =
 # spaces.
 # Note: If this tag is empty the current directory is searched.
 
-INPUT                  = @SRC_DIR@/
+INPUT                  = @SRC_DIR@/src @SRC_DIR@/README.md
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
diff --git a/Makefile.am b/Makefile.am
index 0703abc10..bea4ba7c0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,7 +34,7 @@ Doxyfile :	Doxyfile.in
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
-		-e "s:\@SRC_DIR\@:$(srcdir):" \
+		-e "s:\@SRC_DIR\@:$(srcdir):g" \
 		$(srcdir)/$@.in > $@
 
 apidoc :	Doxyfile
diff --git a/Makefile.in b/Makefile.in
index 8effaa3bc..e10818f54 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -257,6 +257,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -317,10 +318,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -394,6 +397,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -991,7 +996,7 @@ Doxyfile :	Doxyfile.in
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
-		-e "s:\@SRC_DIR\@:$(srcdir):" \
+		-e "s:\@SRC_DIR\@:$(srcdir):g" \
 		$(srcdir)/$@.in > $@
 
 apidoc :	Doxyfile
diff --git a/NEWS b/NEWS
index f1a4b2146..81a7fc5fc 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,86 @@
+strongswan-5.3.0
+----------------
+
+- Added support for IKEv2 make-before-break reauthentication. By using a global
+  CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
+  This allows the use of make-before-break instead of the previously supported
+  break-before-make reauthentication, avoiding connectivity gaps during that
+  procedure. As the new mechanism may fail with peers not supporting it (such
+  as any previous strongSwan release) it must be explicitly enabled using
+  the charon.make_before_break strongswan.conf option.
+
+- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added.
+  This allows the use of stronger hash algorithms for public key authentication.
+  By default, signature schemes are chosen based on the strength of the
+  signature key, but specific hash algorithms may be configured in leftauth.
+
+- Key types and hash algorithms specified in rightauth are now also checked
+  against IKEv2 signature schemes.  If such constraints are used for certificate
+  chain validation in existing configurations, in particular with peers that
+  don't support RFC 7427, it may be necessary to disable this feature with the
+  charon.signature_authentication_constraints setting, because the signature
+  scheme used in classic IKEv2 public key authentication may not be strong
+  enough.
+
+- The new connmark plugin allows a host to bind conntrack flows to a specific
+  CHILD_SA by applying and restoring the SA mark to conntrack entries. This
+  allows a peer to handle multiple transport mode connections coming over the
+  same NAT device for client-initiated flows. A common use case is to protect
+  L2TP/IPsec, as supported by some systems.
+
+- The forecast plugin can forward broadcast and multicast messages between
+  connected clients and a LAN. For CHILD_SA using unique marks, it sets up
+  the required Netfilter rules and uses a multicast/broadcast listener that
+  forwards such messages to all connected clients. This plugin is designed for
+  Windows 7 IKEv2 clients, which announces its services over the tunnel if the
+  negotiated IPsec policy allows it.
+
+- For the vici plugin a Python Egg has been added to allow Python applications
+  to control or monitor the IKE daemon using the VICI interface, similar to the
+  existing ruby gem. The Python library has been contributed by Björn Schuberg.
+
+- EAP server methods now can fulfill public key constraints, such as rightcert
+  or rightca. Additionally, public key and signature constraints can be
+  specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
+  EAP-TTLS methods provide verification details to constraints checking.
+
+- Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
+  variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
+  algorithms with SHA512 being the default.
+
+- The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
+  as seen by the TNC server available to all IMVs. This information can be
+  forwarded to policy enforcement points (e.g. firewalls or routers).
+
+- The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
+  in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
+  PT-TLS transport medium.
+
+
+strongswan-5.2.2
+----------------
+
+- Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
+  payload that contains the Diffie-Hellman group 1025.  This identifier was
+  used internally for DH groups with custom generator and prime.  Because
+  these arguments are missing when creating DH objects based on the KE payload
+  an invalid pointer dereference occurred.  This allowed an attacker to crash
+  the IKE daemon with a single IKE_SA_INIT message containing such a KE
+  payload.  The vulnerability has been registered as CVE-2014-9221.
+
+- The left/rightid options in ipsec.conf, or any other identity in strongSwan,
+  now accept prefixes to enforce an explicit type, such as email: or fqdn:.
+  Note that no conversion is done for the remaining string, refer to
+  ipsec.conf(5) for details.
+
+- The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
+  an IKEv2 public key authentication method. The pki tool offers full support
+  for the generation of BLISS key pairs and certificates.
+
+- Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
+  cause interoperability issues when connecting to older versions of charon.
+
+
 strongswan-5.2.1
 ----------------
 
diff --git a/conf/Makefile.am b/conf/Makefile.am
index e5077391a..f10af25a2 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -28,6 +28,7 @@ plugins = \
 	plugins/android_log.opt \
 	plugins/attr.opt \
 	plugins/attr-sql.opt \
+	plugins/bliss.opt \
 	plugins/certexpire.opt \
 	plugins/coupling.opt \
 	plugins/dhcp.opt \
@@ -46,6 +47,7 @@ plugins = \
 	plugins/eap-ttls.opt \
 	plugins/error-notify.opt \
 	plugins/ext-auth.opt \
+	plugins/forecast.opt \
 	plugins/gcrypt.opt \
 	plugins/ha.opt \
 	plugins/imc-attestation.opt \
@@ -62,6 +64,7 @@ plugins = \
 	plugins/led.opt \
 	plugins/kernel-libipsec.opt \
 	plugins/kernel-netlink.opt \
+	plugins/kernel-pfkey.opt \
 	plugins/kernel-pfroute.opt \
 	plugins/load-tester.opt \
 	plugins/lookip.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index d5bb3ffa7..4b391402a 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -180,6 +180,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -240,10 +241,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -317,6 +320,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -405,6 +410,7 @@ plugins = \
 	plugins/android_log.opt \
 	plugins/attr.opt \
 	plugins/attr-sql.opt \
+	plugins/bliss.opt \
 	plugins/certexpire.opt \
 	plugins/coupling.opt \
 	plugins/dhcp.opt \
@@ -423,6 +429,7 @@ plugins = \
 	plugins/eap-ttls.opt \
 	plugins/error-notify.opt \
 	plugins/ext-auth.opt \
+	plugins/forecast.opt \
 	plugins/gcrypt.opt \
 	plugins/ha.opt \
 	plugins/imc-attestation.opt \
@@ -439,6 +446,7 @@ plugins = \
 	plugins/led.opt \
 	plugins/kernel-libipsec.opt \
 	plugins/kernel-netlink.opt \
+	plugins/kernel-pfkey.opt \
 	plugins/kernel-pfroute.opt \
 	plugins/load-tester.opt \
 	plugins/lookip.opt \
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 0bec9bb0a..bd8e29940 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -58,6 +58,10 @@ charon {
     # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
     # i_dont_care_about_security_and_use_aggressive_mode_psk = no
 
+    # Whether to ignore the traffic selectors from the kernel's acquire events
+    # for IKEv2 connections (they are not used for IKEv1).
+    # ignore_acquire_ts = no
+
     # A space-separated list of routing tables to be excluded from route
     # lookups.
     # ignore_routing_tables =
@@ -116,6 +120,9 @@ charon {
     # Determine plugins to load via each plugin's load option.
     # load_modular = no
 
+    # Initiate IKEv2 reauthentication with a make-before-break scheme.
+    # make_before_break = no
+
     # Maximum packet size accepted by charon.
     # max_packet = 10000
 
@@ -197,6 +204,12 @@ charon {
     # Send strongSwan vendor ID payload
     # send_vendor_id = no
 
+    # Whether to enable Signature Authentication as per RFC 7427.
+    # signature_authentication = yes
+
+    # Whether to enable constraints against IKEv2 signature schemes.
+    # signature_authentication_constraints = yes
+
     # Number of worker threads in charon.
     # threads = 16
 
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 678aa37bc..bbc50ba37 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
 charon.ignore_routing_tables
 	A space-separated list of routing tables to be excluded from route lookups.
 
+charon.ignore_acquire_ts = no
+	Whether to ignore the traffic selectors from the kernel's acquire events for
+	IKEv2 connections (they are not used for IKEv1).
+
+	If this is disabled the traffic selectors from the kernel's acquire events,
+	which are derived from the triggering packet, are prepended to the traffic
+	selectors from the configuration for IKEv2 connection. By enabling this,
+	such specific traffic selectors will be ignored and only the ones in the
+	config will	be sent. This always happens for IKEv1 connections as the
+	protocol only supports one set of traffic selectors per CHILD_SA.
+
 charon.ikesa_limit = 0
 	Maximum number of IKE_SAs that can be established at the same time before
 	new connection attempts are blocked.
@@ -196,6 +207,16 @@ charon.load_modular = no
 charon.max_packet = 10000
 	Maximum packet size accepted by charon.
 
+charon.make_before_break = no
+	Initiate IKEv2 reauthentication with a make-before-break scheme.
+
+	Initiate IKEv2 reauthentication with a make-before-break instead of a
+	break-before-make scheme. Make-before-break uses overlapping IKE and
+	CHILD_SA during reauthentication by first recreating all new SAs before
+	deleting the old ones. This behavior can be beneficial to avoid connectivity
+	gaps during reauthentication, but requires support for overlapping SAs by
+	the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
+
 charon.multiple_authentication = yes
 	Enable multiple authentication exchanges (RFC 4739).
 
@@ -277,6 +298,17 @@ charon.send_delay_type = 0
 charon.send_vendor_id = no
 	Send strongSwan vendor ID payload
 
+charon.signature_authentication = yes
+	Whether to enable Signature Authentication as per RFC 7427.
+
+charon.signature_authentication_constraints = yes
+	Whether to enable constraints against IKEv2 signature schemes.
+
+	If enabled, signature schemes configured in _rightauth_, in addition to
+	getting used as constraints against signature schemes employed in the
+	certificate chain, are also used as constraints against the signature scheme
+	used by peers during IKEv2.
+
 charon.start-scripts {}
 	Section containing a list of scripts (name = path) that are executed when
 	the daemon is started.
diff --git a/conf/plugins/bliss.conf b/conf/plugins/bliss.conf
new file mode 100644
index 000000000..e35c27dc4
--- /dev/null
+++ b/conf/plugins/bliss.conf
@@ -0,0 +1,11 @@
+bliss {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Use the enhanced BLISS-B key generation and signature algorithm.
+    # use_bliss_b = yes
+
+}
+
diff --git a/conf/plugins/bliss.opt b/conf/plugins/bliss.opt
new file mode 100644
index 000000000..0983da026
--- /dev/null
+++ b/conf/plugins/bliss.opt
@@ -0,0 +1,2 @@
+charon.plugins.bliss.use_bliss_b = yes
+	Use the enhanced BLISS-B key generation and signature algorithm.
diff --git a/conf/plugins/forecast.conf b/conf/plugins/forecast.conf
new file mode 100644
index 000000000..79edb4bc8
--- /dev/null
+++ b/conf/plugins/forecast.conf
@@ -0,0 +1,17 @@
+forecast {
+
+    # Multicast groups to join locally, allowing forwarding of them.
+    # groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
+
+    # Local interface to listen for broadcasts to forward.
+    # interface =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # CHILD_SA configurations names to perform multi/broadcast reinjection.
+    # reinject =
+
+}
+
diff --git a/conf/plugins/forecast.opt b/conf/plugins/forecast.opt
new file mode 100644
index 000000000..444cced63
--- /dev/null
+++ b/conf/plugins/forecast.opt
@@ -0,0 +1,29 @@
+charon.plugins.forecast.interface =
+	Local interface to listen for broadcasts to forward.
+
+	Name of the local interface to listen for broadcasts messages to forward.
+	If no interface is configured, the first usable interface is used, which
+	is usually just fine for single-homed hosts. If your host has multiple
+	interfaces, set this option to the local LAN interface you want to forward
+	broadcasts from/to.
+
+charon.plugins.forecast.reinject =
+	CHILD_SA configurations names to perform multi/broadcast reinjection.
+
+	Comma separated list of CHILD_SA configuration names for which to perform
+	multi/broadcast reinjection. For clients connecting over such a
+	configuration, any multi/broadcast received over the tunnel gets reinjected
+	to all active tunnels. This makes the broadcasts visible to other peers,
+	and for examples allows clients to see others shares. If disabled,
+	multi/broadcast messages received over a tunnel are injected to the local
+	network only, but not to other IPsec clients.
+
+charon.plugins.forecast.groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
+	Multicast groups to join locally, allowing forwarding of them.
+
+	Comma separated list of multicast groups to join locally. The local host
+	receives and forwards packets in the local LAN for joined multicast groups
+	only. Packets matching the list of multicast groups get forwarded to
+	connected clients. The default group includes host multicasts, IGMP, mDNS,
+	LLMNR and SSDP/WS-Discovery, and is usually a good choice for Windows
+	clients.
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index 9b60b9ede..7a40bc962 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -18,3 +18,21 @@ libimcv.plugins.imc-attestation.use_quote2 = yes
 
 libimcv.plugins.imc-attestation.pcr_info = no
 	Whether to send pcr_before and pcr_after info.
+
+libimcv.plugins.imc-attestation.pcr17_before =
+        PCR17 value before measurement.
+
+libimcv.plugins.imc-attestation.pcr17_meas =
+        Dummy measurement value extended into PCR17 if the TBOOT log is not available.
+
+libimcv.plugins.imc-attestation.pcr17_after =
+        PCR17 value after measurement.
+
+libimcv.plugins.imc-attestation.pcr18_before =
+        PCR18 value before measurement.
+
+libimcv.plugins.imc-attestation.pcr18_meas =
+       Dummy measurement value extended into PCR17 if the TBOOT log is not available. 
+
+libimcv.plugins.imc-attestation.pcr18_after =
+        PCR18 value after measurement.
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index 3ad51625d..f55225023 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -12,21 +12,3 @@ libimcv.plugins.imv-attestation.hash_algorithm = sha256
 
 libimcv.plugins.imv-attestation.min_nonce_len = 0
 	DH minimum nonce length.
-
-libimcv.plugins.imc-attestation.pcr17_after
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr17_before
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr17_meas
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_after
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_before
-	Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_meas
-	Dummy data if the TBOOT log is not retrieved.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index f05f486b1..723bf0a49 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -4,6 +4,9 @@ kernel-netlink {
     # routing table.
     # fwmark =
 
+    # Whether to ignore errors potentially resulting from a retransmission.
+    # ignore_retransmit_errors = no
+
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
@@ -14,6 +17,21 @@ kernel-netlink {
     # MTU to set on installed routes, 0 to disable.
     # mtu = 0
 
+    # Whether to perform concurrent Netlink ROUTE queries on a single socket.
+    # parallel_route = no
+
+    # Whether to perform concurrent Netlink XFRM queries on a single socket.
+    # parallel_xfrm = no
+
+    # Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+    # policy_update = no
+
+    # Whether to use port or socket based IKE XFRM bypass policies.
+    # port_bypass = no
+
+    # Number of Netlink message retransmissions to send on timeout.
+    # retries = 0
+
     # Whether to trigger roam events when interfaces, addresses or routes
     # change.
     # roam_events = yes
@@ -22,6 +40,9 @@ kernel-netlink {
     # mode IPsec SAs in the kernel.
     # set_proto_port_transport_sa = no
 
+    # Netlink message retransmission timeout, 0 to disable retransmissions.
+    # timeout = 0
+
     # Lifetime of XFRM acquire state in kernel.
     # xfrm_acq_expires = 165
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 7d44581a5..800ba20c0 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -13,6 +13,29 @@ charon.plugins.kernel-netlink.mss = 0
 charon.plugins.kernel-netlink.mtu = 0
 	MTU to set on installed routes, 0 to disable.
 
+charon.plugins.kernel-netlink.parallel_route = no
+	Whether to perform concurrent Netlink ROUTE queries on a single socket.
+
+	Whether to perform concurrent Netlink ROUTE queries on a single socket.
+	While parallel queries can improve throughput, it has more overhead. On
+	vanilla Linux, DUMP queries fail with EBUSY and must be retried, further
+	decreasing performance.
+
+charon.plugins.kernel-netlink.parallel_xfrm = no
+	Whether to perform concurrent Netlink XFRM queries on a single socket.
+
+charon.plugins.kernel-netlink.policy_update = no
+	Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+
+charon.plugins.kernel-netlink.port_bypass = no
+	Whether to use port or socket based IKE XFRM bypass policies.
+
+	Whether to use port or socket based IKE XFRM bypass policies.
+	IKE bypass policies are used to exempt IKE traffic from XFRM processing.
+	The default socket based policies are directly tied to the IKE UDP sockets,
+	port based policies use global XFRM bypass policies for the used IKE UDP
+	ports.
+
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.
 
@@ -25,6 +48,15 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
 	traffic, it also prevents the use of a single IPsec SA by more than one
 	traffic selector.
 
+charon.plugins.kernel-netlink.retries = 0
+	Number of Netlink message retransmissions to send on timeout.
+
+charon.plugins.kernel-netlink.timeout = 0
+	Netlink message retransmission timeout, 0 to disable retransmissions.
+
+charon.plugins.kernel-netlink.ignore_retransmit_errors = no
+	Whether to ignore errors potentially resulting from a retransmission.
+
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	Lifetime of XFRM acquire state in kernel.
 
diff --git a/conf/plugins/kernel-pfkey.conf b/conf/plugins/kernel-pfkey.conf
new file mode 100644
index 000000000..2d4733e74
--- /dev/null
+++ b/conf/plugins/kernel-pfkey.conf
@@ -0,0 +1,11 @@
+kernel-pfkey {
+
+    # Size of the receive buffer for the event socket (0 for default size).
+    # events_buffer_size = 0
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/kernel-pfkey.opt b/conf/plugins/kernel-pfkey.opt
new file mode 100644
index 000000000..ec05215d3
--- /dev/null
+++ b/conf/plugins/kernel-pfkey.opt
@@ -0,0 +1,7 @@
+charon.plugins.kernel-pfkey.events_buffer_size = 0
+	Size of the receive buffer for the event socket (0 for default size).
+
+	Size of the receive buffer for the event socket (0 for default size).
+	Because events are received asynchronously installing e.g. lots of policies
+	may require a larger buffer than the default on certain platforms in order
+	to receive all messages.
diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf
index 9a57ee14d..e8c45ae5c 100644
--- a/conf/plugins/tnccs-20.conf
+++ b/conf/plugins/tnccs-20.conf
@@ -10,5 +10,18 @@ tnccs-20 {
     # Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
     # max_message_size = 65490
 
+    # Enable PB-TNC mutual protocol.
+    # mutual = no
+
+    tests {
+
+        # Send an unsupported PB-TNC message type with the NOSKIP flag set.
+        # pb_tnc_noskip = no
+
+        # Send a PB-TNC batch with a modified PB-TNC version.
+        # pb_tnc_version = 2
+
+    }
+
 }
 
diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt
index b15bc3fa1..8d16d1cb2 100644
--- a/conf/plugins/tnccs-20.opt
+++ b/conf/plugins/tnccs-20.opt
@@ -3,3 +3,12 @@ charon.plugins.tnccs-20.max_batch_size = 65522
 
 charon.plugins.tnccs-20.max_message_size = 65490
 	Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
+
+charon.plugins.tnccs-20.mutual = no
+        Enable PB-TNC mutual protocol.
+
+charon.plugins.tnccs-20.tests.pb_tnc_noskip = no
+        Send an unsupported PB-TNC message type with the NOSKIP flag set.
+
+charon.plugins.tnccs-20.tests.pb_tnc_version = 2
+        Send a PB-TNC batch with a modified PB-TNC version.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 28f6b12ec..b6db9c914 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -198,6 +198,15 @@ keys, which is discouraged due to security concerns (offline attacks on the
 openly transmitted hash of the PSK).
 
 .TP
+.BR charon.ignore_acquire_ts " [no]"
+If this is disabled the traffic selectors from the kernel's acquire events,
+which are derived from the triggering packet, are prepended to the traffic
+selectors from the configuration for IKEv2 connection. By enabling this, such
+specific traffic selectors will be ignored and only the ones in the config will
+be sent. This always happens for IKEv1 connections as the protocol only supports
+one set of traffic selectors per CHILD_SA.
+
+.TP
 .BR charon.ignore_routing_tables " []"
 A space\-separated list of routing tables to be excluded from route lookups.
 
@@ -322,6 +331,15 @@ preserved. Enabled plugins not found in that list are ordered alphabetically
 before other plugins with the same priority.
 
 .TP
+.BR charon.make_before_break " [no]"
+Initiate IKEv2 reauthentication with a make\-before\-break instead of a
+break\-before\-make scheme. Make\-before\-break uses overlapping IKE and CHILD_SA
+during reauthentication by first recreating all new SAs before deleting the old
+ones. This behavior can be beneficial to avoid connectivity gaps during
+reauthentication, but requires support for overlapping SAs by the peer.
+strongSwan can handle such overlapping SAs since version 5.3.0.
+
+.TP
 .BR charon.max_packet " [10000]"
 Maximum packet size accepted by charon.
 
@@ -374,6 +392,10 @@ sure to adjust the permissions of the config file accordingly.
 Enable logging of SQL IP pool leases.
 
 .TP
+.BR charon.plugins.bliss.use_bliss_b " [yes]"
+Use the enhanced BLISS\-B key generation and signature algorithm.
+
+.TP
 .BR charon.plugins.certexpire.csv.cron " []"
 Cron style string specifying CSV export times.
 
@@ -762,6 +784,31 @@ Remote IKE identity.
 Remote EAP or XAuth identity, if used.
 
 .TP
+.BR charon.plugins.forecast.groups " [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]"
+Comma separated list of multicast groups to join locally. The local host
+receives and forwards packets in the local LAN for joined multicast groups only.
+Packets matching the list of multicast groups get forwarded to connected
+clients. The default group includes host multicasts, IGMP, mDNS, LLMNR and
+SSDP/WS\-Discovery, and is usually a good choice for Windows clients.
+
+.TP
+.BR charon.plugins.forecast.interface " []"
+Name of the local interface to listen for broadcasts messages to forward. If no
+interface is configured, the first usable interface is used, which is usually
+just fine for single\-homed hosts. If your host has multiple interfaces, set this
+option to the local LAN interface you want to forward broadcasts from/to.
+
+.TP
+.BR charon.plugins.forecast.reinject " []"
+Comma separated list of CHILD_SA configuration names for which to perform
+multi/broadcast reinjection. For clients connecting over such a configuration,
+any multi/broadcast received over the tunnel gets reinjected to all active
+tunnels. This makes the broadcasts visible to other peers, and for examples
+allows clients to see others shares. If disabled, multi/broadcast messages
+received over a tunnel are injected to the local network only, but not to other
+IPsec clients.
+
+.TP
 .BR charon.plugins.gcrypt.quick_random " [no]"
 Use faster random numbers in gcrypt; for testing only, produces weak keys!
 
@@ -812,6 +859,10 @@ table. The format is [!]mark[/mask], where the optional exclamation mark inverts
 the meaning (i.e. the rule only applies to packets that don't match the mark).
 
 .TP
+.BR charon.plugins.kernel-netlink.ignore_retransmit_errors " [no]"
+Whether to ignore errors potentially resulting from a retransmission.
+
+.TP
 .BR charon.plugins.kernel-netlink.mss " [0]"
 MSS to set on installed routes, 0 to disable.
 
@@ -820,6 +871,32 @@ MSS to set on installed routes, 0 to disable.
 MTU to set on installed routes, 0 to disable.
 
 .TP
+.BR charon.plugins.kernel-netlink.parallel_route " [no]"
+Whether to perform concurrent Netlink ROUTE queries on a single socket. While
+parallel queries can improve throughput, it has more overhead. On vanilla Linux,
+DUMP queries fail with EBUSY and must be retried, further decreasing
+performance.
+
+.TP
+.BR charon.plugins.kernel-netlink.parallel_xfrm " [no]"
+Whether to perform concurrent Netlink XFRM queries on a single socket.
+
+.TP
+.BR charon.plugins.kernel-netlink.policy_update " [no]"
+Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+
+.TP
+.BR charon.plugins.kernel-netlink.port_bypass " [no]"
+Whether to use port or socket based IKE XFRM bypass policies. IKE bypass
+policies are used to exempt IKE traffic from XFRM processing. The default socket
+based policies are directly tied to the IKE UDP sockets, port based policies use
+global XFRM bypass policies for the used IKE UDP ports.
+
+.TP
+.BR charon.plugins.kernel-netlink.retries " [0]"
+Number of Netlink message retransmissions to send on timeout.
+
+.TP
 .BR charon.plugins.kernel-netlink.roam_events " [yes]"
 Whether to trigger roam events when interfaces, addresses or routes change.
 
@@ -830,12 +907,23 @@ IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
 it also prevents the use of a single IPsec SA by more than one traffic selector.
 
 .TP
+.BR charon.plugins.kernel-netlink.timeout " [0]"
+Netlink message retransmission timeout, 0 to disable retransmissions.
+
+.TP
 .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
 Lifetime of XFRM acquire state in kernel. The value gets written to
 /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
 acquire messages sent.
 
 .TP
+.BR charon.plugins.kernel-pfkey.events_buffer_size " [0]"
+Size of the receive buffer for the event socket (0 for default size). Because
+events are received asynchronously installing e.g. lots of policies may require
+a larger buffer than the default on certain platforms in order to receive all
+messages.
+
+.TP
 .BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
 Time in ms to wait until virtual IP addresses appear/disappear before failing.
 
@@ -1291,6 +1379,18 @@ Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529).
 Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497).
 
 .TP
+.BR charon.plugins.tnccs-20.mutual " [no]"
+Enable PB\-TNC mutual protocol.
+
+.TP
+.BR charon.plugins.tnccs-20.tests.pb_tnc_noskip " [no]"
+Send an unsupported PB\-TNC message type with the NOSKIP flag set.
+
+.TP
+.BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]"
+Send a PB\-TNC batch with a modified PB\-TNC version.
+
+.TP
 .BR charon.plugins.unbound.dlv_anchors " []"
 File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
 the same format as
@@ -1444,6 +1544,19 @@ Specific IKEv2 message type to delay, 0 for any.
 Send strongSwan vendor ID payload
 
 .TP
+.BR charon.signature_authentication " [yes]"
+Whether to enable Signature Authentication as per RFC 7427.
+
+.TP
+.BR charon.signature_authentication_constraints " [yes]"
+If enabled, signature schemes configured in
+.RI "" "rightauth" ","
+in addition to getting
+used as constraints against signature schemes employed in the certificate chain,
+are also used as constraints against the signature scheme used by peers during
+IKEv2.
+
+.TP
 .B charon.start-scripts
 .br
 Section containing a list of scripts (name = path) that are executed when the
@@ -1581,27 +1694,27 @@ DH nonce length.
 
 .TP
 .BR libimcv.plugins.imc-attestation.pcr17_after " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR17 value after measurement.
 
 .TP
 .BR libimcv.plugins.imc-attestation.pcr17_before " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR17 value before measurement.
 
 .TP
 .BR libimcv.plugins.imc-attestation.pcr17_meas " []"
-Dummy data if the TBOOT log is not retrieved.
+Dummy measurement value extended into PCR17 if the TBOOT log is not available.
 
 .TP
 .BR libimcv.plugins.imc-attestation.pcr18_after " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR18 value after measurement.
 
 .TP
 .BR libimcv.plugins.imc-attestation.pcr18_before " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR18 value before measurement.
 
 .TP
 .BR libimcv.plugins.imc-attestation.pcr18_meas " []"
-Dummy data if the TBOOT log is not retrieved.
+Dummy measurement value extended into PCR17 if the TBOOT log is not available.
 
 .TP
 .BR libimcv.plugins.imc-attestation.pcr_info " [no]"
diff --git a/configure b/configure
index ee7d4cb05..811e45288 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.2.1.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.3.0.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.2.1'
-PACKAGE_STRING='strongSwan 5.2.1'
+PACKAGE_VERSION='5.3.0'
+PACKAGE_STRING='strongSwan 5.3.0'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -633,6 +633,10 @@ am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
 strongswan_options
+USE_PY_TEST_FALSE
+USE_PY_TEST_TRUE
+USE_PYTHON_EGGS_FALSE
+USE_PYTHON_EGGS_TRUE
 USE_RUBY_GEMS_FALSE
 USE_RUBY_GEMS_TRUE
 USE_LEGACY_SYSTEMD_FALSE
@@ -727,8 +731,6 @@ USE_LOCK_PROFILER_FALSE
 USE_LOCK_PROFILER_TRUE
 USE_LEAK_DETECTIVE_FALSE
 USE_LEAK_DETECTIVE_TRUE
-USE_RESOLVE_FALSE
-USE_RESOLVE_TRUE
 USE_KERNEL_PFROUTE_FALSE
 USE_KERNEL_PFROUTE_TRUE
 USE_KERNEL_PFKEY_FALSE
@@ -739,12 +741,18 @@ USE_ATTR_SQL_FALSE
 USE_ATTR_SQL_TRUE
 USE_ATTR_FALSE
 USE_ATTR_TRUE
+USE_RESOLVE_FALSE
+USE_RESOLVE_TRUE
 USE_UNITY_FALSE
 USE_UNITY_TRUE
 USE_ADDRBLOCK_FALSE
 USE_ADDRBLOCK_TRUE
 USE_FARP_FALSE
 USE_FARP_TRUE
+USE_FORECAST_FALSE
+USE_FORECAST_TRUE
+USE_CONNMARK_FALSE
+USE_CONNMARK_TRUE
 USE_SOCKET_WIN_FALSE
 USE_SOCKET_WIN_TRUE
 USE_SOCKET_DYNAMIC_FALSE
@@ -861,8 +869,6 @@ USE_HA_FALSE
 USE_HA_TRUE
 USE_LOAD_TESTER_FALSE
 USE_LOAD_TESTER_TRUE
-USE_UNIT_TESTS_FALSE
-USE_UNIT_TESTS_TRUE
 USE_DHCP_FALSE
 USE_DHCP_TRUE
 USE_UPDOWN_FALSE
@@ -893,6 +899,8 @@ USE_VICI_FALSE
 USE_VICI_TRUE
 USE_STROKE_FALSE
 USE_STROKE_TRUE
+USE_BLISS_FALSE
+USE_BLISS_TRUE
 USE_NTRU_FALSE
 USE_NTRU_TRUE
 USE_AF_ALG_FALSE
@@ -985,6 +993,8 @@ USE_UNBOUND_FALSE
 USE_UNBOUND_TRUE
 USE_WINHTTP_FALSE
 USE_WINHTTP_TRUE
+USE_FILES_FALSE
+USE_FILES_TRUE
 USE_CURL_FALSE
 USE_CURL_TRUE
 USE_TEST_VECTORS_FALSE
@@ -1005,6 +1015,9 @@ attest_plugins
 pool_plugins
 starter_plugins
 charon_plugins
+PY_TEST
+PYTHONEGGINSTALLDIR
+EASY_INSTALL
 RUBYGEMDIR
 GEM
 COVERAGE_LDFLAGS
@@ -1017,6 +1030,8 @@ USE_DEV_HEADERS_FALSE
 USE_DEV_HEADERS_TRUE
 UNWINDLIB
 BFDLIB
+libiptc_LIBS
+libiptc_CFLAGS
 nm_LIBS
 nm_CFLAGS
 pcsclite_LIBS
@@ -1238,6 +1253,7 @@ with_mpz_powm_sec
 with_dev_headers
 with_printf_hooks
 with_rubygemdir
+with_pythoneggdir
 with_systemdsystemunitdir
 with_user
 with_group
@@ -1245,6 +1261,7 @@ with_charon_udp_port
 with_charon_natt_port
 enable_aes
 enable_af_alg
+enable_bliss
 enable_blowfish
 enable_ccm
 enable_cmac
@@ -1278,6 +1295,7 @@ enable_pubkey
 enable_sshkey
 enable_x509
 enable_curl
+enable_files
 enable_ldap
 enable_soup
 enable_unbound
@@ -1358,6 +1376,8 @@ enable_tnccs_20
 enable_tnccs_dynamic
 enable_android_log
 enable_certexpire
+enable_connmark
+enable_forecast
 enable_duplicheck
 enable_error_notify
 enable_farp
@@ -1369,7 +1389,6 @@ enable_maemo
 enable_radattr
 enable_systime_fix
 enable_test_vectors
-enable_unit_tester
 enable_updown
 enable_aikgen
 enable_charon
@@ -1398,6 +1417,7 @@ enable_load_warning
 enable_mediation
 enable_unwind_backtraces
 enable_ruby_gems
+enable_python_eggs
 enable_coverage
 enable_leak_detective
 enable_lock_profiler
@@ -1446,7 +1466,9 @@ maemo_LIBS
 pcsclite_CFLAGS
 pcsclite_LIBS
 nm_CFLAGS
-nm_LIBS'
+nm_LIBS
+libiptc_CFLAGS
+libiptc_LIBS'
 
 
 # Initialize some variables set by options.
@@ -1987,7 +2009,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.2.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.3.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -2057,7 +2079,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.2.1:";;
+     short | recursive ) echo "Configuration of strongSwan 5.3.0:";;
    esac
   cat <<\_ACEOF
 
@@ -2069,6 +2091,7 @@ Optional Features:
   --disable-silent-rules  verbose build output (undo: "make V=0")
   --disable-aes           disable AES software implementation plugin.
   --enable-af-alg         enable AF_ALG crypto interface to Linux Crypto API.
+  --enable-bliss          enable BLISS software implementation plugin.
   --enable-blowfish       enable Blowfish software implementation plugin.
   --enable-ccm            enables the CCM AEAD wrapper crypto plugin.
   --disable-cmac          disable CMAC crypto implementation plugin.
@@ -2105,6 +2128,7 @@ Optional Features:
   --disable-x509          disable X509 certificate implementation plugin.
   --enable-curl           enable CURL fetcher plugin to fetch files via
                           libcurl. Requires libcurl.
+  --enable-files          enable simple file:// URI fetcher.
   --enable-ldap           enable LDAP fetching plugin to fetch files via
                           libldap. Requires openLDAP.
   --enable-soup           enable soup fetcher plugin to fetch from HTTP via
@@ -2210,6 +2234,10 @@ Optional Features:
   --enable-android-log    enable Android specific logger plugin.
   --enable-certexpire     enable CSV export of expiration dates of used
                           certificates.
+  --enable-connmark       enable connmark plugin using conntrack based marks
+                          to select return path SA.
+  --enable-forecast       enable forecast plugin forwarding
+                          broadcast/multicast messages.
   --enable-duplicheck     advanced duplicate checking plugin using liveness
                           checks.
   --enable-error-notify   enable error notification plugin.
@@ -2227,7 +2255,6 @@ Optional Features:
   --enable-systime-fix    enable plugin to handle cert lifetimes with invalid
                           system time gracefully.
   --enable-test-vectors   enable plugin providing crypto test vectors.
-  --enable-unit-tester    enable unit tests on IKEv2 daemon startup.
   --disable-updown        disable updown firewall script plugin.
   --enable-aikgen         enable AIK generator.
   --disable-charon        disable the IKEv1/IKEv2 keying daemon charon.
@@ -2267,6 +2294,7 @@ Optional Features:
                           use libunwind to create backtraces for memory leaks
                           and segfaults.
   --enable-ruby-gems      enable installation of provided ruby gems.
+  --enable-python-eggs    enable installation of provided python eggs.
   --enable-coverage       enable lcov coverage report generation.
   --enable-leak-detective enable malloc hooks to find memory leaks.
   --enable-lock-profiler  enable lock/mutex profiling code.
@@ -2343,6 +2371,8 @@ Optional Packages:
                           (default: auto).
   --with-rubygemdir=arg   path to install ruby gems to (default: "gem
                           environment gemdir").
+  --with-pythoneggdir=arg path to install python eggs to to (default: "main
+                          site-packages directory").
   --with-systemdsystemunitdir=arg
                           directory for systemd service files (default:
                           $systemdsystemunitdir_default).
@@ -2411,6 +2441,10 @@ Some influential environment variables:
               linker flags for pcsclite, overriding pkg-config
   nm_CFLAGS   C compiler flags for nm, overriding pkg-config
   nm_LIBS     linker flags for nm, overriding pkg-config
+  libiptc_CFLAGS
+              C compiler flags for libiptc, overriding pkg-config
+  libiptc_LIBS
+              linker flags for libiptc, overriding pkg-config
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -2478,7 +2512,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.2.1
+strongSwan configure 5.3.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3000,7 +3034,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.2.1, which was
+It was created by strongSwan $as_me 5.3.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3863,7 +3897,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.2.1'
+ VERSION='5.3.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4595,6 +4629,16 @@ fi
 
 
 
+# Check whether --with-pythoneggdir was given.
+if test "${with_pythoneggdir+set}" = set; then :
+  withval=$with_pythoneggdir; pythoneggdir="$withval"
+else
+  pythoneggdir="main site-packages directory"
+
+fi
+
+
+
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
 fi
@@ -4738,6 +4782,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" af_alg"
 
+# Check whether --enable-bliss was given.
+if test "${enable_bliss+set}" = set; then :
+  enableval=$enable_bliss; bliss_given=true
+		if test x$enableval = xyes; then
+			bliss=true
+		 else
+			bliss=false
+		fi
+else
+  bliss=false
+		bliss_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" bliss"
+
 # Check whether --enable-blowfish was given.
 if test "${enable_blowfish+set}" = set; then :
   enableval=$enable_blowfish; blowfish_given=true
@@ -5268,6 +5328,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" curl"
 
+# Check whether --enable-files was given.
+if test "${enable_files+set}" = set; then :
+  enableval=$enable_files; files_given=true
+		if test x$enableval = xyes; then
+			files=true
+		 else
+			files=false
+		fi
+else
+  files=false
+		files_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" files"
+
 # Check whether --enable-ldap was given.
 if test "${enable_ldap+set}" = set; then :
   enableval=$enable_ldap; ldap_given=true
@@ -6555,6 +6631,38 @@ fi
 
 	disabled_by_default=${disabled_by_default}" certexpire"
 
+# Check whether --enable-connmark was given.
+if test "${enable_connmark+set}" = set; then :
+  enableval=$enable_connmark; connmark_given=true
+		if test x$enableval = xyes; then
+			connmark=true
+		 else
+			connmark=false
+		fi
+else
+  connmark=false
+		connmark_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" connmark"
+
+# Check whether --enable-forecast was given.
+if test "${enable_forecast+set}" = set; then :
+  enableval=$enable_forecast; forecast_given=true
+		if test x$enableval = xyes; then
+			forecast=true
+		 else
+			forecast=false
+		fi
+else
+  forecast=false
+		forecast_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" forecast"
+
 # Check whether --enable-duplicheck was given.
 if test "${enable_duplicheck+set}" = set; then :
   enableval=$enable_duplicheck; duplicheck_given=true
@@ -6731,22 +6839,6 @@ fi
 
 	disabled_by_default=${disabled_by_default}" test_vectors"
 
-# Check whether --enable-unit-tester was given.
-if test "${enable_unit_tester+set}" = set; then :
-  enableval=$enable_unit_tester; unit_tester_given=true
-		if test x$enableval = xyes; then
-			unit_tester=true
-		 else
-			unit_tester=false
-		fi
-else
-  unit_tester=false
-		unit_tester_given=false
-
-fi
-
-	disabled_by_default=${disabled_by_default}" unit_tester"
-
 # Check whether --enable-updown was given.
 if test "${enable_updown+set}" = set; then :
   enableval=$enable_updown; updown_given=true
@@ -7197,6 +7289,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" ruby_gems"
 
+# Check whether --enable-python-eggs was given.
+if test "${enable_python_eggs+set}" = set; then :
+  enableval=$enable_python_eggs; python_eggs_given=true
+		if test x$enableval = xyes; then
+			python_eggs=true
+		 else
+			python_eggs=false
+		fi
+else
+  python_eggs=false
+		python_eggs_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" python_eggs"
+
 # compile options
 # Check whether --enable-coverage was given.
 if test "${enable_coverage+set}" = set; then :
@@ -20878,6 +20986,102 @@ fi
 
 fi
 
+if test x$connmark = xtrue -o x$forecast = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libiptc" >&5
+$as_echo_n "checking for libiptc... " >&6; }
+
+if test -n "$libiptc_CFLAGS"; then
+    pkg_cv_libiptc_CFLAGS="$libiptc_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libiptc\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libiptc") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_libiptc_CFLAGS=`$PKG_CONFIG --cflags "libiptc" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$libiptc_LIBS"; then
+    pkg_cv_libiptc_LIBS="$libiptc_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libiptc\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libiptc") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_libiptc_LIBS=`$PKG_CONFIG --libs "libiptc" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        libiptc_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libiptc" 2>&1`
+        else
+	        libiptc_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libiptc" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$libiptc_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (libiptc) were not met:
+
+$libiptc_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables libiptc_CFLAGS
+and libiptc_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables libiptc_CFLAGS
+and libiptc_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	libiptc_CFLAGS=$pkg_cv_libiptc_CFLAGS
+	libiptc_LIBS=$pkg_cv_libiptc_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+fi
+
 if test x$capabilities = xnative; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&5
 $as_echo "$as_me: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&6;}
@@ -21326,6 +21530,101 @@ fi
 
 fi
 
+if test x$python_eggs = xtrue; then
+	# Extract the first word of "easy_install", so it can be a program name with args.
+set dummy easy_install; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_EASY_INSTALL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $EASY_INSTALL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_EASY_INSTALL="$EASY_INSTALL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_EASY_INSTALL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+EASY_INSTALL=$ac_cv_path_EASY_INSTALL
+if test -n "$EASY_INSTALL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $EASY_INSTALL" >&5
+$as_echo "$EASY_INSTALL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	if test x$EASY_INSTALL = x; then
+		as_fn_error $? "Python easy_install not found" "$LINENO" 5
+	fi
+	if test "x$pythoneggdir" = "xmain site-packages directory"; then
+		PYTHONEGGINSTALLDIR=""
+
+	else
+		PYTHONEGGINSTALLDIR="--install-dir $pythoneggdir"
+
+	fi
+	# Extract the first word of "py.test", so it can be a program name with args.
+set dummy py.test; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PY_TEST+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PY_TEST in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PY_TEST="$PY_TEST" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PY_TEST="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PY_TEST=$ac_cv_path_PY_TEST
+if test -n "$PY_TEST"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PY_TEST" >&5
+$as_echo "$PY_TEST" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+
 # ===============================================
 #  collect plugin list for strongSwan components
 # ===============================================
@@ -21382,26 +21681,6 @@ if test x$ldap = xtrue; then
 
 	fi
 
-if test x$mysql = xtrue; then
-		s_plugins=${s_plugins}" mysql"
-		charon_plugins=${charon_plugins}" mysql"
-		pool_plugins=${pool_plugins}" mysql"
-		manager_plugins=${manager_plugins}" mysql"
-		medsrv_plugins=${medsrv_plugins}" mysql"
-		attest_plugins=${attest_plugins}" mysql"
-
-	fi
-
-if test x$sqlite = xtrue; then
-		s_plugins=${s_plugins}" sqlite"
-		charon_plugins=${charon_plugins}" sqlite"
-		pool_plugins=${pool_plugins}" sqlite"
-		manager_plugins=${manager_plugins}" sqlite"
-		medsrv_plugins=${medsrv_plugins}" sqlite"
-		attest_plugins=${attest_plugins}" sqlite"
-
-	fi
-
 if test x$pkcs11 = xtrue; then
 		s_plugins=${s_plugins}" pkcs11"
 		charon_plugins=${charon_plugins}" pkcs11"
@@ -21794,6 +22073,7 @@ if test x$cmac = xtrue; then
 if test x$hmac = xtrue; then
 		s_plugins=${s_plugins}" hmac"
 		charon_plugins=${charon_plugins}" hmac"
+		pki_plugins=${pki_plugins}" hmac"
 		scripts_plugins=${scripts_plugins}" hmac"
 		nm_plugins=${nm_plugins}" hmac"
 		cmd_plugins=${cmd_plugins}" hmac"
@@ -21836,6 +22116,16 @@ if test x$ntru = xtrue; then
 
 	fi
 
+if test x$bliss = xtrue; then
+		s_plugins=${s_plugins}" bliss"
+		charon_plugins=${charon_plugins}" bliss"
+		pki_plugins=${pki_plugins}" bliss"
+		scripts_plugins=${scripts_plugins}" bliss"
+		nm_plugins=${nm_plugins}" bliss"
+		cmd_plugins=${cmd_plugins}" bliss"
+
+	fi
+
 if test x$curl = xtrue; then
 		s_plugins=${s_plugins}" curl"
 		charon_plugins=${charon_plugins}" curl"
@@ -21847,6 +22137,17 @@ if test x$curl = xtrue; then
 
 	fi
 
+if test x$files = xtrue; then
+		s_plugins=${s_plugins}" files"
+		charon_plugins=${charon_plugins}" files"
+		scepclient_plugins=${scepclient_plugins}" files"
+		pki_plugins=${pki_plugins}" files"
+		scripts_plugins=${scripts_plugins}" files"
+		nm_plugins=${nm_plugins}" files"
+		cmd_plugins=${cmd_plugins}" files"
+
+	fi
+
 if test x$winhttp = xtrue; then
 		s_plugins=${s_plugins}" winhttp"
 		charon_plugins=${charon_plugins}" winhttp"
@@ -21865,14 +22166,34 @@ if test x$soup = xtrue; then
 
 	fi
 
+if test x$mysql = xtrue; then
+		s_plugins=${s_plugins}" mysql"
+		charon_plugins=${charon_plugins}" mysql"
+		pool_plugins=${pool_plugins}" mysql"
+		manager_plugins=${manager_plugins}" mysql"
+		medsrv_plugins=${medsrv_plugins}" mysql"
+		attest_plugins=${attest_plugins}" mysql"
+
+	fi
+
+if test x$sqlite = xtrue; then
+		s_plugins=${s_plugins}" sqlite"
+		charon_plugins=${charon_plugins}" sqlite"
+		pool_plugins=${pool_plugins}" sqlite"
+		manager_plugins=${manager_plugins}" sqlite"
+		medsrv_plugins=${medsrv_plugins}" sqlite"
+		attest_plugins=${attest_plugins}" sqlite"
+
+	fi
+
 if test x$attr = xtrue; then
-		h_plugins=${h_plugins}" attr"
+		c_plugins=${c_plugins}" attr"
 		charon_plugins=${charon_plugins}" attr"
 
 	fi
 
 if test x$attr_sql = xtrue; then
-		h_plugins=${h_plugins}" attr-sql"
+		c_plugins=${c_plugins}" attr-sql"
 		charon_plugins=${charon_plugins}" attr-sql"
 
 	fi
@@ -21930,7 +22251,7 @@ if test x$kernel_netlink = xtrue; then
 	fi
 
 if test x$resolve = xtrue; then
-		h_plugins=${h_plugins}" resolve"
+		c_plugins=${c_plugins}" resolve"
 		charon_plugins=${charon_plugins}" resolve"
 		cmd_plugins=${cmd_plugins}" resolve"
 
@@ -21957,6 +22278,18 @@ if test x$socket_win = xtrue; then
 
 	fi
 
+if test x$connmark = xtrue; then
+		c_plugins=${c_plugins}" connmark"
+		charon_plugins=${charon_plugins}" connmark"
+
+	fi
+
+if test x$forecast = xtrue; then
+		c_plugins=${c_plugins}" forecast"
+		charon_plugins=${charon_plugins}" forecast"
+
+	fi
+
 if test x$farp = xtrue; then
 		c_plugins=${c_plugins}" farp"
 		charon_plugins=${charon_plugins}" farp"
@@ -22315,12 +22648,6 @@ if test x$unity = xtrue; then
 
 	fi
 
-if test x$unit_tester = xtrue; then
-		c_plugins=${c_plugins}" unit-tester"
-		charon_plugins=${charon_plugins}" unit-tester"
-
-	fi
-
 
 
 
@@ -22362,6 +22689,14 @@ else
   USE_CURL_FALSE=
 fi
 
+ if test x$files = xtrue; then
+  USE_FILES_TRUE=
+  USE_FILES_FALSE='#'
+else
+  USE_FILES_TRUE='#'
+  USE_FILES_FALSE=
+fi
+
  if test x$winhttp = xtrue; then
   USE_WINHTTP_TRUE=
   USE_WINHTTP_FALSE='#'
@@ -22730,6 +23065,14 @@ else
   USE_NTRU_FALSE=
 fi
 
+ if test x$bliss = xtrue; then
+  USE_BLISS_TRUE=
+  USE_BLISS_FALSE='#'
+else
+  USE_BLISS_TRUE='#'
+  USE_BLISS_FALSE=
+fi
+
 
 #  charon plugins
 # ----------------
@@ -22853,14 +23196,6 @@ else
   USE_DHCP_FALSE=
 fi
 
- if test x$unit_tester = xtrue; then
-  USE_UNIT_TESTS_TRUE=
-  USE_UNIT_TESTS_FALSE='#'
-else
-  USE_UNIT_TESTS_TRUE='#'
-  USE_UNIT_TESTS_FALSE=
-fi
-
  if test x$load_tester = xtrue; then
   USE_LOAD_TESTER_TRUE=
   USE_LOAD_TESTER_FALSE='#'
@@ -23325,6 +23660,22 @@ else
   USE_SOCKET_WIN_FALSE=
 fi
 
+ if test x$connmark = xtrue; then
+  USE_CONNMARK_TRUE=
+  USE_CONNMARK_FALSE='#'
+else
+  USE_CONNMARK_TRUE='#'
+  USE_CONNMARK_FALSE=
+fi
+
+ if test x$forecast = xtrue; then
+  USE_FORECAST_TRUE=
+  USE_FORECAST_FALSE='#'
+else
+  USE_FORECAST_TRUE='#'
+  USE_FORECAST_FALSE=
+fi
+
  if test x$farp = xtrue; then
   USE_FARP_TRUE=
   USE_FARP_FALSE='#'
@@ -23349,9 +23700,14 @@ else
   USE_UNITY_FALSE=
 fi
 
+ if test x$resolve = xtrue; then
+  USE_RESOLVE_TRUE=
+  USE_RESOLVE_FALSE='#'
+else
+  USE_RESOLVE_TRUE='#'
+  USE_RESOLVE_FALSE=
+fi
 
-#  hydra plugins
-# ---------------
  if test x$attr = xtrue; then
   USE_ATTR_TRUE=
   USE_ATTR_FALSE='#'
@@ -23368,6 +23724,9 @@ else
   USE_ATTR_SQL_FALSE=
 fi
 
+
+#  hydra plugins
+# ---------------
  if test x$kernel_netlink = xtrue; then
   USE_KERNEL_NETLINK_TRUE=
   USE_KERNEL_NETLINK_FALSE='#'
@@ -23392,14 +23751,6 @@ else
   USE_KERNEL_PFROUTE_FALSE=
 fi
 
- if test x$resolve = xtrue; then
-  USE_RESOLVE_TRUE=
-  USE_RESOLVE_FALSE='#'
-else
-  USE_RESOLVE_TRUE='#'
-  USE_RESOLVE_FALSE=
-fi
-
 
 #  other options
 # ---------------
@@ -23779,6 +24130,22 @@ else
   USE_RUBY_GEMS_FALSE=
 fi
 
+ if test x$python_eggs = xtrue; then
+  USE_PYTHON_EGGS_TRUE=
+  USE_PYTHON_EGGS_FALSE='#'
+else
+  USE_PYTHON_EGGS_TRUE='#'
+  USE_PYTHON_EGGS_FALSE=
+fi
+
+ if test "x$PY_TEST" != x; then
+  USE_PY_TEST_TRUE=
+  USE_PY_TEST_FALSE='#'
+else
+  USE_PY_TEST_TRUE='#'
+  USE_PY_TEST_FALSE=
+fi
+
 
 # ========================
 #  set global definitions
@@ -23862,14 +24229,14 @@ fi
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile"
 
 
 # =================
 #  build man pages
 # =================
 
-ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail"
+ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---pkcs12.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail"
 
 
 cat >confcache <<\_ACEOF
@@ -24026,6 +24393,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
   as_fn_error $? "conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_FILES_TRUE}" && test -z "${USE_FILES_FALSE}"; then
+  as_fn_error $? "conditional \"USE_FILES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_WINHTTP_TRUE}" && test -z "${USE_WINHTTP_FALSE}"; then
   as_fn_error $? "conditional \"USE_WINHTTP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24210,6 +24581,10 @@ if test -z "${USE_NTRU_TRUE}" && test -z "${USE_NTRU_FALSE}"; then
   as_fn_error $? "conditional \"USE_NTRU\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_BLISS_TRUE}" && test -z "${USE_BLISS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_BLISS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
   as_fn_error $? "conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24270,10 +24645,6 @@ if test -z "${USE_DHCP_TRUE}" && test -z "${USE_DHCP_FALSE}"; then
   as_fn_error $? "conditional \"USE_DHCP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
-  as_fn_error $? "conditional \"USE_UNIT_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_LOAD_TESTER_TRUE}" && test -z "${USE_LOAD_TESTER_FALSE}"; then
   as_fn_error $? "conditional \"USE_LOAD_TESTER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24506,6 +24877,14 @@ if test -z "${USE_SOCKET_WIN_TRUE}" && test -z "${USE_SOCKET_WIN_FALSE}"; then
   as_fn_error $? "conditional \"USE_SOCKET_WIN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_CONNMARK_TRUE}" && test -z "${USE_CONNMARK_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CONNMARK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_FORECAST_TRUE}" && test -z "${USE_FORECAST_FALSE}"; then
+  as_fn_error $? "conditional \"USE_FORECAST\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then
   as_fn_error $? "conditional \"USE_FARP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24518,6 +24897,10 @@ if test -z "${USE_UNITY_TRUE}" && test -z "${USE_UNITY_FALSE}"; then
   as_fn_error $? "conditional \"USE_UNITY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
+  as_fn_error $? "conditional \"USE_RESOLVE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
   as_fn_error $? "conditional \"USE_ATTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24538,10 +24921,6 @@ if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"
   as_fn_error $? "conditional \"USE_KERNEL_PFROUTE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
-  as_fn_error $? "conditional \"USE_RESOLVE\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
   as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24730,6 +25109,14 @@ if test -z "${USE_RUBY_GEMS_TRUE}" && test -z "${USE_RUBY_GEMS_FALSE}"; then
   as_fn_error $? "conditional \"USE_RUBY_GEMS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_PYTHON_EGGS_TRUE}" && test -z "${USE_PYTHON_EGGS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PYTHON_EGGS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_PY_TEST_TRUE}" && test -z "${USE_PY_TEST_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PY_TEST\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 
 : "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
@@ -25127,7 +25514,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.2.1, which was
+This file was extended by strongSwan $as_me 5.3.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -25193,7 +25580,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.2.1
+strongSwan config.status 5.3.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -25641,6 +26028,7 @@ do
     "src/libstrongswan/plugins/sshkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sshkey/Makefile" ;;
     "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;;
     "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
+    "src/libstrongswan/plugins/files/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/files/Makefile" ;;
     "src/libstrongswan/plugins/winhttp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/winhttp/Makefile" ;;
     "src/libstrongswan/plugins/unbound/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/unbound/Makefile" ;;
     "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;;
@@ -25658,15 +26046,15 @@ do
     "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;;
     "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;;
     "src/libstrongswan/plugins/ntru/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ntru/Makefile" ;;
+    "src/libstrongswan/plugins/bliss/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/Makefile" ;;
+    "src/libstrongswan/plugins/bliss/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/tests/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;;
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
-    "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
-    "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
     "src/libhydra/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_netlink/Makefile" ;;
     "src/libhydra/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfkey/Makefile" ;;
     "src/libhydra/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfroute/Makefile" ;;
-    "src/libhydra/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/resolve/Makefile" ;;
+    "src/libhydra/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/tests/Makefile" ;;
     "src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;;
     "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
     "src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;;
@@ -25726,6 +26114,8 @@ do
     "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
     "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
     "src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;;
+    "src/libcharon/plugins/connmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/connmark/Makefile" ;;
+    "src/libcharon/plugins/forecast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/forecast/Makefile" ;;
     "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;;
     "src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;;
     "src/libcharon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/sql/Makefile" ;;
@@ -25757,16 +26147,19 @@ do
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
     "src/libcharon/plugins/vici/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/Makefile" ;;
     "src/libcharon/plugins/vici/ruby/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/ruby/Makefile" ;;
+    "src/libcharon/plugins/vici/python/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/python/Makefile" ;;
     "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
     "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
-    "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;;
     "src/libcharon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/load_tester/Makefile" ;;
+    "src/libcharon/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/resolve/Makefile" ;;
+    "src/libcharon/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/attr/Makefile" ;;
+    "src/libcharon/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/attr_sql/Makefile" ;;
+    "src/libcharon/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/tests/Makefile" ;;
     "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
     "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
     "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
     "src/starter/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/tests/Makefile" ;;
     "src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;;
-    "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;;
     "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
     "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
     "src/aikgen/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikgen/Makefile" ;;
@@ -25794,6 +26187,7 @@ do
     "src/pki/man/pki---issue.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---issue.1" ;;
     "src/pki/man/pki---keyid.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---keyid.1" ;;
     "src/pki/man/pki---pkcs7.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pkcs7.1" ;;
+    "src/pki/man/pki---pkcs12.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pkcs12.1" ;;
     "src/pki/man/pki---print.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---print.1" ;;
     "src/pki/man/pki---pub.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pub.1" ;;
     "src/pki/man/pki---req.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---req.1" ;;
diff --git a/configure.ac b/configure.ac
index 7a3c3281b..73c288495 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2007-2014 Tobias Brunner
+# Copyright (C) 2007-2015 Tobias Brunner
 # Copyright (C) 2006-2014 Andreas Steffen
 # Copyright (C) 2006-2014 Martin Willi
 # Hochschule fuer Technik Rapperswil
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.2.1])
+AC_INIT([strongSwan],[5.3.0])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -69,6 +69,7 @@ ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
 ARG_WITH_SET([printf-hooks],         [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).])
 ARG_WITH_SET([rubygemdir],           ["gem environment gemdir"], [path to install ruby gems to])
+ARG_WITH_SET([pythoneggdir],         ["main site-packages directory"], [path to install python eggs to to])
 
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
@@ -123,6 +124,7 @@ m4_include(m4/macros/enable-disable.m4)
 # crypto plugins
 ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
 ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
+ARG_ENABL_SET([bliss],          [enable BLISS software implementation plugin.])
 ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
 ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
 ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
@@ -158,6 +160,7 @@ ARG_DISBL_SET([sshkey],         [disable SSH key decoding plugin.])
 ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
 # fetcher/resolver plugins
 ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([files],          [enable simple file:// URI fetcher.])
 ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
 ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
 ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
@@ -245,6 +248,8 @@ ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.
 # misc plugins
 ARG_ENABL_SET([android-log],    [enable Android specific logger plugin.])
 ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
+ARG_ENABL_SET([connmark],       [enable connmark plugin using conntrack based marks to select return path SA.])
+ARG_ENABL_SET([forecast],       [enable forecast plugin forwarding broadcast/multicast messages.])
 ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
 ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
 ARG_ENABL_SET([farp],           [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
@@ -256,7 +261,6 @@ ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([radattr],        [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
 ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
 ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
-ARG_ENABL_SET([unit-tester],    [enable unit tests on IKEv2 daemon startup.])
 ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
 # programs/components
 ARG_ENABL_SET([aikgen],         [enable AIK generator.])
@@ -287,6 +291,7 @@ ARG_DISBL_SET([load-warning],   [disable the charon plugin load option warning i
 ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
 ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
 ARG_ENABL_SET([ruby-gems],      [enable installation of provided ruby gems.])
+ARG_ENABL_SET([python-eggs],    [enable installation of provided python eggs.])
 # compile options
 ARG_ENABL_SET([coverage],       [enable lcov coverage report generation.])
 ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
@@ -1076,6 +1081,12 @@ if test x$xauth_pam = xtrue; then
 	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
 fi
 
+if test x$connmark = xtrue -o x$forecast = xtrue; then
+	PKG_CHECK_MODULES(libiptc, [libiptc])
+	AC_SUBST(libiptc_CFLAGS)
+	AC_SUBST(libiptc_LIBS)
+fi
+
 if test x$capabilities = xnative; then
 	AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
 	# Linux requires the following for capset(), Android does not have it,
@@ -1177,6 +1188,19 @@ if test x$ruby_gems = xtrue; then
 	AC_SUBST(RUBYGEMDIR, "$rubygemdir")
 fi
 
+if test x$python_eggs = xtrue; then
+	AC_PATH_PROG([EASY_INSTALL], [easy_install], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$EASY_INSTALL = x; then
+		AC_MSG_ERROR(Python easy_install not found)
+	fi
+	if test "x$pythoneggdir" = "xmain site-packages directory"; then
+		AC_SUBST(PYTHONEGGINSTALLDIR, "")
+	else
+		AC_SUBST(PYTHONEGGINSTALLDIR, "--install-dir $pythoneggdir")
+	fi
+	AC_PATH_PROG([PY_TEST], [py.test], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+fi
+
 # ===============================================
 #  collect plugin list for strongSwan components
 # ===============================================
@@ -1207,8 +1231,6 @@ t_plugins=
 ADD_PLUGIN([test-vectors],         [s charon scepclient pki])
 ADD_PLUGIN([unbound],              [s charon scripts])
 ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
-ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
-ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
 ADD_PLUGIN([pkcs11],               [s charon pki nm cmd])
 ADD_PLUGIN([aes],                  [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([des],                  [s charon scepclient pki scripts nm cmd])
@@ -1246,16 +1268,20 @@ ADD_PLUGIN([agent],                [s charon nm cmd])
 ADD_PLUGIN([keychain],             [s charon cmd])
 ADD_PLUGIN([xcbc],                 [s charon nm cmd])
 ADD_PLUGIN([cmac],                 [s charon nm cmd])
-ADD_PLUGIN([hmac],                 [s charon scripts nm cmd])
+ADD_PLUGIN([hmac],                 [s charon pki scripts nm cmd])
 ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ntru],                 [s charon scripts nm cmd])
+ADD_PLUGIN([bliss],                [s charon pki scripts nm cmd])
 ADD_PLUGIN([curl],                 [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([files],                [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([winhttp],              [s charon pki scripts])
 ADD_PLUGIN([soup],                 [s charon pki scripts nm cmd])
-ADD_PLUGIN([attr],                 [h charon])
-ADD_PLUGIN([attr-sql],             [h charon])
+ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
+ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
+ADD_PLUGIN([attr],                 [c charon])
+ADD_PLUGIN([attr-sql],             [c charon])
 ADD_PLUGIN([load-tester],          [c charon])
 ADD_PLUGIN([kernel-libipsec],      [c charon cmd])
 ADD_PLUGIN([kernel-wfp],           [c charon])
@@ -1263,10 +1289,12 @@ ADD_PLUGIN([kernel-iph],           [c charon])
 ADD_PLUGIN([kernel-pfkey],         [h charon starter nm cmd])
 ADD_PLUGIN([kernel-pfroute],       [h charon starter nm cmd])
 ADD_PLUGIN([kernel-netlink],       [h charon starter nm cmd])
-ADD_PLUGIN([resolve],              [h charon cmd])
+ADD_PLUGIN([resolve],              [c charon cmd])
 ADD_PLUGIN([socket-default],       [c charon nm cmd])
 ADD_PLUGIN([socket-dynamic],       [c charon cmd])
 ADD_PLUGIN([socket-win],           [c charon])
+ADD_PLUGIN([connmark],             [c charon])
+ADD_PLUGIN([forecast],             [c charon])
 ADD_PLUGIN([farp],                 [c charon])
 ADD_PLUGIN([stroke],               [c charon])
 ADD_PLUGIN([vici],                 [c charon])
@@ -1324,7 +1352,6 @@ ADD_PLUGIN([maemo],                [c charon])
 ADD_PLUGIN([uci],                  [c charon])
 ADD_PLUGIN([addrblock],            [c charon])
 ADD_PLUGIN([unity],                [c charon])
-ADD_PLUGIN([unit-tester],          [c charon])
 
 AC_SUBST(charon_plugins)
 AC_SUBST(starter_plugins)
@@ -1352,6 +1379,7 @@ AC_SUBST(t_plugins)
 # -----------------------
 AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
 AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_FILES, test x$files = xtrue)
 AM_CONDITIONAL(USE_WINHTTP, test x$winhttp = xtrue)
 AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
 AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
@@ -1398,6 +1426,7 @@ AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
 AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue)
+AM_CONDITIONAL(USE_BLISS, test x$bliss = xtrue)
 
 #  charon plugins
 # ----------------
@@ -1416,7 +1445,6 @@ AM_CONDITIONAL(USE_DNSCERT, test x$dnscert = xtrue)
 AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
 AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
-AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
 AM_CONDITIONAL(USE_KERNEL_LIBIPSEC, test x$kernel_libipsec = xtrue)
@@ -1475,18 +1503,20 @@ AM_CONDITIONAL(USE_IMV_SWID, test x$imv_swid = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
 AM_CONDITIONAL(USE_SOCKET_WIN, test x$socket_win = xtrue)
+AM_CONDITIONAL(USE_CONNMARK, test x$connmark = xtrue)
+AM_CONDITIONAL(USE_FORECAST, test x$forecast = xtrue)
 AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
 AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
 AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
+AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
+AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
+AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
 
 #  hydra plugins
 # ---------------
-AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
-AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
-AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
 
 #  other options
 # ---------------
@@ -1537,6 +1567,8 @@ AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
 AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
 AM_CONDITIONAL(USE_LEGACY_SYSTEMD, test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno)
 AM_CONDITIONAL(USE_RUBY_GEMS, test x$ruby_gems = xtrue)
+AM_CONDITIONAL(USE_PYTHON_EGGS, test x$python_eggs = xtrue)
+AM_CONDITIONAL(USE_PY_TEST, test "x$PY_TEST" != x)
 
 # ========================
 #  set global definitions
@@ -1624,6 +1656,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/sshkey/Makefile
 	src/libstrongswan/plugins/pem/Makefile
 	src/libstrongswan/plugins/curl/Makefile
+	src/libstrongswan/plugins/files/Makefile
 	src/libstrongswan/plugins/winhttp/Makefile
 	src/libstrongswan/plugins/unbound/Makefile
 	src/libstrongswan/plugins/soup/Makefile
@@ -1641,15 +1674,15 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/gcm/Makefile
 	src/libstrongswan/plugins/af_alg/Makefile
 	src/libstrongswan/plugins/ntru/Makefile
+	src/libstrongswan/plugins/bliss/Makefile
+	src/libstrongswan/plugins/bliss/tests/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libstrongswan/tests/Makefile
 	src/libhydra/Makefile
-	src/libhydra/plugins/attr/Makefile
-	src/libhydra/plugins/attr_sql/Makefile
 	src/libhydra/plugins/kernel_netlink/Makefile
 	src/libhydra/plugins/kernel_pfkey/Makefile
 	src/libhydra/plugins/kernel_pfroute/Makefile
-	src/libhydra/plugins/resolve/Makefile
+	src/libhydra/tests/Makefile
 	src/libipsec/Makefile
 	src/libsimaka/Makefile
 	src/libtls/Makefile
@@ -1709,6 +1742,8 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/socket_default/Makefile
 	src/libcharon/plugins/socket_dynamic/Makefile
 	src/libcharon/plugins/socket_win/Makefile
+	src/libcharon/plugins/connmark/Makefile
+	src/libcharon/plugins/forecast/Makefile
 	src/libcharon/plugins/farp/Makefile
 	src/libcharon/plugins/smp/Makefile
 	src/libcharon/plugins/sql/Makefile
@@ -1740,16 +1775,19 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/stroke/Makefile
 	src/libcharon/plugins/vici/Makefile
 	src/libcharon/plugins/vici/ruby/Makefile
+	src/libcharon/plugins/vici/python/Makefile
 	src/libcharon/plugins/updown/Makefile
 	src/libcharon/plugins/dhcp/Makefile
-	src/libcharon/plugins/unit_tester/Makefile
 	src/libcharon/plugins/load_tester/Makefile
+	src/libcharon/plugins/resolve/Makefile
+	src/libcharon/plugins/attr/Makefile
+	src/libcharon/plugins/attr_sql/Makefile
+	src/libcharon/tests/Makefile
 	src/stroke/Makefile
 	src/ipsec/Makefile
 	src/starter/Makefile
 	src/starter/tests/Makefile
 	src/_updown/Makefile
-	src/_updown_espmark/Makefile
 	src/_copyright/Makefile
 	src/scepclient/Makefile
 	src/aikgen/Makefile
@@ -1784,6 +1822,7 @@ AC_CONFIG_FILES([
 	src/pki/man/pki---issue.1
 	src/pki/man/pki---keyid.1
 	src/pki/man/pki---pkcs7.1
+	src/pki/man/pki---pkcs12.1
 	src/pki/man/pki---print.1
 	src/pki/man/pki---pub.1
 	src/pki/man/pki---req.1
diff --git a/init/Makefile.in b/init/Makefile.in
index 3da1e6514..18c69f1b0 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -204,6 +204,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -264,10 +265,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -341,6 +344,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in
index 14089c479..28cedbda8 100644
--- a/init/systemd-swanctl/Makefile.in
+++ b/init/systemd-swanctl/Makefile.in
@@ -172,6 +172,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -232,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -309,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index a8c7af61c..808023eb2 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -172,6 +172,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -232,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -309,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/man/Makefile.in b/man/Makefile.in
index 08aee19c0..501361003 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -178,6 +178,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -238,10 +239,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -315,6 +318,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index fe37dff83..39c3b2b79 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -23,8 +23,7 @@ as are empty lines which are not within a section.
 A line which contains
 .B include
 and a file name, separated by white space,
-is replaced by the contents of that file,
-preceded and followed by empty lines.
+is replaced by the contents of that file.
 If the file name is not a full pathname,
 it is considered to be relative to the directory containing the
 including file.
@@ -61,12 +60,9 @@ indicates what type of section follows, and
 .I name
 is an arbitrary name which distinguishes the section from others
 of the same type.
-Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.
 All subsequent non-empty lines
-which begin with white space are part of the section;
-comments within a section must begin with white space too.
-There may be only one section of a given type with a given name.
+which begin with white space are part of the section.
+Sections of the same type that share the same name are merged.
 .PP
 Lines within the section are generally of the form
 .PP
@@ -75,24 +71,30 @@ Lines within the section are generally of the form
 (note the mandatory preceding white space).
 There can be white space on either side of the
 .BR = .
-Parameter names follow the same syntax as section names,
-and are specific to a section type.
-Unless otherwise explicitly specified,
-no parameter name may appear more than once in a section.
+Parameter names are specific to a section type.
 .PP
 An empty
 .I value
 stands for the system default value (if any) of the parameter,
-i.e. it is roughly equivalent to omitting the parameter line entirely.
+i.e. it is roughly equivalent to omitting the parameter line entirely. This may
+be useful to clear a setting inherited from a
+.B %default
+section or via
+.B also
+parameter (see below).
 A
 .I value
-may contain white space only if the entire
-.I value
-is enclosed in double quotes (\fB"\fR);
-a
+may contain single spaces (additional white space is reduced to one space).
+To preserve white space as written enclose the entire
 .I value
-cannot itself contain a double quote,
-nor may it be continued across more than one line.
+in double quotes (\fB"\fR); in such values double quotes themselves may be
+escaped by prefixing them with
+.B \\\\
+characters. A double-quoted string may span multiple lines by ending them with
+.B \\\\
+characters (following lines don't have to begin with white space, as that will
+be preserved). Additionally, the following control characters may be encoded in
+double-quoted strings: \\n, \\r, \\t, \\b, \\f.
 .PP
 Numeric values are specified to be either an ``integer''
 (a sequence of digits) or a ``decimal number''
@@ -102,38 +104,24 @@ There is currently one parameter which is available in any type of
 section:
 .TP
 .B also
-the value is a section name;
-the parameters of that section are appended to this section,
-as if they had been written as part of it.
-The specified section must exist, must follow the current one,
-and must have the same section type.
-(Nesting is permitted,
-and there may be more than one
+the value is a section name; the parameters of that section are inherited by
+the current section. Parameters in the current section always override inherited
+parameters, even if an
+.B also
+follows after them.
+The specified section must exist and must have the same section type; it doesn't
+if it is defined before or after the current section.
+Nesting is permitted, and there may be more than one
+.B also
+in a single section (parameters from referenced sections are inherited and
+overridden in the order of these
 .B also
-in a single section,
-although it is forbidden to append the same section more than once.)
+parameters).
 .PP
 A section with name
 .B %default
-specifies defaults for sections of the same type.
-For each parameter in it,
-any section of that type which does not have a parameter of the same name
-gets a copy of the one from the
-.B %default
-section.
-There may be multiple
-.B %default
-sections of a given type,
-but only one default may be supplied for any specific parameter name,
-and all
-.B %default
-sections of a given type must precede all non-\c
-.B %default
-sections of that type.
-.B %default
-sections may not contain the
-.B also
-parameter.
+specifies defaults for sections of the same type. All parameters in it, are
+inherited by all other sections of that type.
 .PP
 Currently there are three types of sections:
 a
@@ -446,19 +434,20 @@ This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked.
 .TP
 .BR fragmentation " = yes | force | " no
-whether to use IKE fragmentation (proprietary IKEv1 extension).  Acceptable
-values are
+whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2
+fragmentation as per RFC 7383).  Acceptable values are
 .BR yes ,
 .B force
 and
 .B no
-(the default). Fragmented messages sent by a peer are always accepted
+(the default). Fragmented IKE messages sent by a peer are always accepted
 irrespective of the value of this option. If set to
 .BR yes ,
 and the peer supports it, larger IKE messages will be sent in fragments.
 If set to
 .B force
-the initial IKE message will already be fragmented if required.
+(only supported for IKEv1) the initial IKE message will already be fragmented
+if required.
 .TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
@@ -583,6 +572,7 @@ for pre-shared key authentication,
 to (require the) use of the Extensible Authentication Protocol in IKEv2, and
 .B xauth
 for IKEv1 eXtended Authentication.
+
 To require a trustchain public key strength for the remote side, specify the
 key type followed by the minimum strength in bits (for example
 .BR ecdsa-384
@@ -595,6 +585,20 @@ or a key strength definition (for example
 .BR pubkey-sha1-sha256
 or
 .BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
+Unless disabled in
+.BR strongswan.conf (5)
+such key types and hash algorithms are also applied as constraints against IKEv2
+signature authentication schemes used by the remote side.
+
+If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific
+hash algorithms to be used during IKEv2 authentication may be configured.
+The syntax is the same as above. For example, with
+.B pubkey-sha384-sha256
+a public key signature scheme with either SHA-384 or SHA-256 would get used for
+authentication, in that order and depending on the hash algorithms supported by
+the peer.  If no specific hash algorithms are configured, the default is to
+prefer an algorithm that matches or exceeds the strength of the signature key.
+
 For
 .BR eap ,
 an optional EAP method can be appended. Currently defined methods are
@@ -613,7 +617,9 @@ Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
 EAP methods are defined in the form
 .B eap-type-vendor
 .RB "(e.g. " eap-7-12345 ).
-For
+To specify signature and trust chain constraints for EAP-(T)TLS, append a colon
+to the EAP method, followed by the key type/size and hash algorithm as discussed
+above. For
 .B xauth,
 an XAuth authentication backend can be specified, such as
 .B xauth-generic
@@ -750,11 +756,36 @@ defaults to
 .B left
 or the subject of the certificate configured with
 .BR leftcert .
-Can be an IP address, a fully-qualified domain name, an email address, or
-a keyid. If
+If
 .B leftcert
 is configured the identity has to be confirmed by the certificate.
 
+Can be an IP address, a fully-qualified domain name, an email address or a
+Distinguished Name for which the ID type is determined automatically and the
+string is converted to the appropriate encoding. To enforce a specific identity
+type, a prefix may be used, followed by a colon (:). If the number sign (#)
+follows the colon, the remaining data is interpreted as hex encoding, otherwise
+the string is used as-is as the identification data. Note that this implies
+that no conversion is performed for non-string identities. For example,
+\fIipv4:10.0.0.1\fP does not create a valid ID_IPV4_ADDR IKE identity, as it
+does not get converted to binary 0x0a000001. Instead, one could use
+\fIipv4:#0a000001\fP to get a valid identity, but just using the implicit type
+with automatic conversion is usually simpler. The same applies to the ASN1
+encoded types. The following prefixes are known:
+.BR ipv4 ,
+.BR ipv6 ,
+.BR rfc822 ,
+.BR email ,
+.BR userfqdn ,
+.BR fqdn ,
+.BR dns ,
+.BR asn1dn ,
+.B asn1gn
+and
+.BR keyid .
+Custom type prefixes may be specified by surrounding the numerical type value by
+curly brackets.
+
 For IKEv2 and
 .B rightid
 the prefix
@@ -828,13 +859,15 @@ an address of the given address family will be requested explicitly.
 If an IP address is configured, it will be requested from the responder,
 which is free to respond with a different address.
 .TP
-.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
+.BR rightsourceip " = %config | <network>/<netmask> | <from>-<to> | %poolname"
 Comma separated list of internal source IPs to use in a tunnel for the remote
 peer. If the value is
 .B %config
 on the responder side, the initiator must propose an address which is then
 echoed back. Also supported are address pools expressed as
 \fInetwork\fB/\fInetmask\fR
+and
+\fIfrom\fB-\fIto\fR
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
@@ -959,7 +992,9 @@ sets an XFRM mark in the inbound and outbound
 IPsec SAs and policies. If the mask is missing then a default
 mask of
 .B 0xffffffff
-is assumed.
+is assumed. The special value
+.B %unique
+assigns a unique value to each newly created IPsec SA.
 .TP
 .BR mark_in " = <value>[/<mask>]"
 sets an XFRM mark in the inbound IPsec SA and
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 811dc2919..d28783b4c 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -279,6 +279,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -339,10 +340,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -416,6 +419,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index 8a782d80b..0643ea92a 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -15,6 +15,7 @@
 
 #include <stdio.h>
 #include <time.h>
+#include <assert.h>
 #include <library.h>
 #include <utils/debug.h>
 #include <crypto/diffie_hellman.h>
@@ -88,16 +89,16 @@ static void run_test(diffie_hellman_group_t group, int rounds)
 
 	for (round = 0; round < rounds; round++)
 	{
-		l[round]->get_my_public_value(l[round], &chunk);
-		r->set_other_public_value(r, chunk);
+		assert(l[round]->get_my_public_value(l[round], &chunk));
+		assert(r->set_other_public_value(r, chunk));
 		chunk_free(&chunk);
 	}
 
-	r->get_my_public_value(r, &chunk);
+	assert(r->get_my_public_value(r, &chunk));
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
-		l[round]->set_other_public_value(l[round], chunk);
+		assert(l[round]->set_other_public_value(l[round], chunk));
 	}
 	printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
 	chunk_free(&chunk);
@@ -143,4 +144,3 @@ int main(int argc, char *argv[])
 	}
 	return 0;
 }
-
diff --git a/src/Makefile.am b/src/Makefile.am
index 38363d4f7..9608a3a13 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -69,7 +69,7 @@ if USE_STROKE
 endif
 
 if USE_UPDOWN
-  SUBDIRS += _updown _updown_espmark
+  SUBDIRS += _updown
 endif
 
 if USE_SCEPCLIENT
diff --git a/src/Makefile.in b/src/Makefile.in
index 2dd046042..7596e7e55 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -94,7 +94,7 @@ host_triplet = @host@
 @USE_SYSTEMD_TRUE@am__append_15 = charon-systemd
 @USE_NM_TRUE@am__append_16 = charon-nm
 @USE_STROKE_TRUE@am__append_17 = stroke
-@USE_UPDOWN_TRUE@am__append_18 = _updown _updown_espmark
+@USE_UPDOWN_TRUE@am__append_18 = _updown
 @USE_SCEPCLIENT_TRUE@am__append_19 = scepclient
 @USE_PKI_TRUE@am__append_20 = pki
 @USE_SWANCTL_TRUE@am__append_21 = swanctl
@@ -187,9 +187,9 @@ CTAGS = ctags
 DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
 	libtls libradius libtncif libtnccs libpttls libimcv libcharon \
 	starter ipsec _copyright charon charon-systemd charon-nm \
-	stroke _updown _updown_espmark scepclient pki swanctl conftest \
-	dumm libfast manager medsrv pool charon-tkm charon-cmd \
-	charon-svc pt-tls-client checksum aikgen
+	stroke _updown scepclient pki swanctl conftest dumm libfast \
+	manager medsrv pool charon-tkm charon-cmd charon-svc \
+	pt-tls-client checksum aikgen
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -241,6 +241,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -301,10 +302,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,6 +381,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index a17bbcc1a..2a4838c9a 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -195,6 +195,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -255,10 +256,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -332,6 +335,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am
index b6a81f547..32fa0423a 100644
--- a/src/_updown/Makefile.am
+++ b/src/_updown/Makefile.am
@@ -1,6 +1,5 @@
 ipsec_SCRIPTS = _updown
 CLEANFILES = _updown
-dist_man8_MANS = _updown.8
 EXTRA_DIST = _updown.in
 
 _updown : _updown.in
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index a215a2548..fe31dff64 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -79,8 +79,7 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/_updown
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(dist_man8_MANS)
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -125,7 +124,7 @@ am__uninstall_files_from_dir = { \
     || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
          $(am__cd) "$$dir" && rm -f $$files; }; \
   }
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
 SCRIPTS = $(ipsec_SCRIPTS)
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -146,9 +145,6 @@ am__can_run_installinfo = \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man8_MANS)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
@@ -176,6 +172,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -236,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -313,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -373,7 +374,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 ipsec_SCRIPTS = _updown
 CLEANFILES = _updown
-dist_man8_MANS = _updown.8
 EXTRA_DIST = _updown.in
 all: all-am
 
@@ -449,47 +449,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(dist_man8_MANS)
-	@$(NORMAL_INSTALL)
-	@list1='$(dist_man8_MANS)'; \
-	list2=''; \
-	test -n "$(man8dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.8[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man8:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags TAGS:
 
 ctags CTAGS:
@@ -529,9 +488,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(SCRIPTS) $(MANS)
+all-am: Makefile $(SCRIPTS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -585,7 +544,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipsecSCRIPTS install-man
+install-data-am: install-ipsecSCRIPTS
 
 install-dvi: install-dvi-am
 
@@ -601,7 +560,7 @@ install-info: install-info-am
 
 install-info-am:
 
-install-man: install-man8
+install-man:
 
 install-pdf: install-pdf-am
 
@@ -629,9 +588,7 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipsecSCRIPTS uninstall-man
-
-uninstall-man: uninstall-man8
+uninstall-am: uninstall-ipsecSCRIPTS
 
 .MAKE: install-am install-strip
 
@@ -641,13 +598,12 @@ uninstall-man: uninstall-man8
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-html \
 	install-html-am install-info install-info-am \
-	install-ipsecSCRIPTS install-man install-man8 install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-ipsecSCRIPTS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-generic \
 	mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
-	uninstall-am uninstall-ipsecSCRIPTS uninstall-man \
-	uninstall-man8
+	uninstall-am uninstall-ipsecSCRIPTS
 
 
 _updown : _updown.in
diff --git a/src/_updown/_updown.8 b/src/_updown/_updown.8
deleted file mode 100644
index 8c88e5fb8..000000000
--- a/src/_updown/_updown.8
+++ /dev/null
@@ -1,16 +0,0 @@
-.TH _UPDOWN 8 "27 Apr 2006"
-.SH NAME
-ipsec _updown \- route and firewall manipulation script
-.SH SYNOPSIS
-.I _updown
-is invoked by pluto when it has brought up a new connection. This script
-is used to insert the appropriate routing entries for IPsec operation.
-It can also be used to insert and delete dynamic iptables firewall rules.
-The interface to the script is documented in the pluto man page.
-.SH "SEE ALSO"
-ipsec(8), ipsec_pluto(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program written by Henry Spencer. Extended
-for the Linux strongSwan project <http://www.strongswan.org/> by Andreas
-Steffen.
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 532bd2437..4090fe074 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -128,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -142,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=@routing_table@
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=@routing_table_prio@
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -178,120 +166,9 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
 # use protocol specific options to set ports
 case "$PLUTO_MY_PROTOCOL" in
@@ -334,59 +211,7 @@ fi
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -567,16 +392,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/src/_updown_espmark/Makefile.am b/src/_updown_espmark/Makefile.am
deleted file mode 100644
index 456702690..000000000
--- a/src/_updown_espmark/Makefile.am
+++ /dev/null
@@ -1,2 +0,0 @@
-dist_ipsec_SCRIPTS = _updown_espmark
-dist_man8_MANS = _updown_espmark.8
diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark
deleted file mode 100644
index 864a91708..000000000
--- a/src/_updown_espmark/_updown_espmark
+++ /dev/null
@@ -1,438 +0,0 @@
-#! /bin/sh
-# iproute2 version, default updown script
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005      Andreas Steffen <andreas.steffen@strongsec.com>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-
-
-# CAUTION:  Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make.  If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# FreeS/WAN use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#
-#      PLUTO_VERSION
-#              indicates  what  version of this interface is being
-#              used.  This document describes version  1.1.   This
-#              is upwardly compatible with version 1.0.
-#
-#       PLUTO_VERB
-#              specifies the name of the operation to be performed
-#              (prepare-host, prepare-client, up-host, up-client,
-#              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica-
-#              tions is IPv6, then a suffix of -v6 is added to the
-#              verb.
-#
-#       PLUTO_CONNECTION
-#              is the name of the  connection  for  which  we  are
-#              routing.
-#
-#       PLUTO_INTERFACE
-#              is the name of the ipsec interface to be used.
-#
-#       PLUTO_ME
-#              is the IP address of our host.
-#
-#       PLUTO_MY_ID
-#              is the ID of our host.
-#
-#       PLUTO_MY_CLIENT
-#              is the IP address / count of our client subnet.  If
-#              the  client  is  just  the  host,  this will be the
-#              host's own IP address / max (where max  is  32  for
-#              IPv4 and 128 for IPv6).
-#
-#       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
-#
-#       PLUTO_MY_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_MY_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
-#
-#       PLUTO_PEER
-#              is the IP address of our peer.
-#
-#       PLUTO_PEER_ID
-#              is the ID of our peer.
-#
-#       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub-
-#              net.   If the client is just the peer, this will be
-#              the peer's own IP address / max (where  max  is  32
-#              for IPv4 and 128 for IPv6).
-#
-#       PLUTO_PEER_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_PEER_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
-#
-#       PLUTO_XAUTH_ID
-#              is an optional user ID employed by the XAUTH protocol
-#
-#       PLUTO_MARK_IN
-#              is an optional XFRM mark set on the inbound IPsec SA
-#
-#       PLUTO_MARK_OUT
-#              is an optional XFRM mark set on the outbound IPsec SA
-#
-#       PLUTO_UDP_ENC
-#              contains the remote UDP port in the case of ESP_IN_UDP
-#              encapsulation
-#
-
-# logging of VPN connections
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice                   -/var/log/vpn
-#
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0])	# Older Pluto?!?  Play it safe, script may be using new features.
-	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
-	exit 2
-	;;
-1.*)	;;
-*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
-	exit 2
-	;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':')			# no parameters
-	;;
-ipfwadm:ipfwadm)	# due to (left/right)firewall; for default script only
-	;;
-custom:*)		# custom parameters (see above CAUTION comment)
-	;;
-*)	echo "$0: unknown parameters \`$*'" >&2
-	exit 2
-	;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-	parms="$PLUTO_PEER_CLIENT"
-
-	parms2=
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	   parms2="via $PLUTO_NEXT_HOP"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-            for dir in /etc/sysconfig /etc/conf.d; do
-                if [ -f "$dir/defaultsource" ]
-                then
-                    . "$dir/defaultsource"
-                fi
-            done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	parms3=
-	if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
-	then
-	    addsource
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# define ESP mark
-ESP_MARK=50
-
-# add the following static rule to the INPUT chain in the mangle table
-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
-
-# NAT traversal via UDP encapsulation is supported with the rule
-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
-
-# in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	CHECK_MARK=""
-else
-	CHECK_MARK="-m mark --mark $ESP_MARK"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
-up-host:*)
-	# connection to me coming up
-	# If you are doing a custom version, firewall commands go here.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT \
-	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-	#
-	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	then
-	  logger -t $TAG -p $FAC_PRIO \
-	    "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
-	else
-	  logger -t $TAG -p $FAC_PRIO \
-	    "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	fi
-	;;
-down-host:*)
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT \
-	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-	#
-	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	then
-	  logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
-	else
-	  logger -t $TAG -p $FAC_PRIO -- \
-	  "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	fi
-	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-	       $CHECK_MARK -j ACCEPT
-	#
-	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	then
-	  logger -t $TAG -p $FAC_PRIO \
-	    "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	else
-	  logger -t $TAG -p $FAC_PRIO \
-	    "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	fi
-	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-	       $CHECK_MARK -j ACCEPT
-	#
-	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	then
-	  logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	else
-	  logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	fi
-	;;
-up-client:ipfwadm)
-	# connection to client subnet, with (left/right)firewall=yes, coming up
-	# This is used only by the default updown script, not by your custom
-	# ones, so do not mess with it; see CAUTION comment up at top.
-	ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
-	;;
-down-client:ipfwadm)
-	# connection to client subnet, with (left/right)firewall=yes, going down
-	# This is used only by the default updown script, not by your custom
-	# ones, so do not mess with it; see CAUTION comment up at top.
-	ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
-	;;
-#
-# IPv6
-#
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
-up-host-v6:*)
-	# connection to me coming up
-	# If you are doing a custom version, firewall commands go here.
-	;;
-down-host-v6:*)
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	;;
-up-client-v6:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	;;
-down-client-v6:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	;;
-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-	exit 1
-	;;
-esac
diff --git a/src/_updown_espmark/_updown_espmark.8 b/src/_updown_espmark/_updown_espmark.8
deleted file mode 100644
index 34383cb8e..000000000
--- a/src/_updown_espmark/_updown_espmark.8
+++ /dev/null
@@ -1,15 +0,0 @@
-.TH _UPDOWN_ESPMARK 8 "7 Apr 2005"
-.SH NAME
-ipsec _updown_espmark \- manages routes and firewall rules
-.SH SYNOPSIS
-.I _updown_espmark
-is invoked by pluto when it has brought up a new connection. This script
-is used to insert the appropriate routing and iptables firewall entries for
-IPsec operation. The incoming ESP traffic must be marked by a static rule
-in the mangle table. The default value for the mark is 50.
-The interface to the script is documented in the pluto man page.
-.SH "SEE ALSO"
-ipsec(8), ipsec_pluto(8).
-.SH HISTORY
-Man page written for the Linux strongSwan project <http://www.strongswan.org/>
-by Andreas Steffen. Original program written by Henry Spencer.
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
index 2bd5be64b..33ed13397 100644
--- a/src/aikgen/Makefile.in
+++ b/src/aikgen/Makefile.in
@@ -198,6 +198,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -258,10 +259,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -335,6 +338,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index 9f67eec1f..64dea34c7 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 69cbfe07e..82f6fbcb2 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -203,6 +203,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -263,10 +264,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -340,6 +343,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index 613c2f6b5..601daca0a 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -18,7 +18,6 @@
 #include "nm_creds.h"
 #include "nm_handler.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
@@ -97,7 +96,8 @@ static void nm_backend_deinit()
 		g_object_unref(this->plugin);
 	}
 	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	charon->attributes->remove_handler(charon->attributes,
+									   &this->handler->handler);
 	this->creds->destroy(this->creds);
 	this->handler->destroy(this->handler);
 	free(this);
@@ -130,7 +130,7 @@ static bool nm_backend_init()
 	this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
 	nm_backend = this;
 
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+	charon->attributes->add_handler(charon->attributes, &this->handler->handler);
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 	if (!this->plugin)
 	{
diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
index 28aa04b31..bdc0667cf 100644
--- a/src/charon-nm/nm/nm_handler.c
+++ b/src/charon-nm/nm/nm_handler.c
@@ -41,7 +41,7 @@ struct private_nm_handler_t {
 };
 
 METHOD(attribute_handler_t, handle, bool,
-	private_nm_handler_t *this, identification_t *server,
+	private_nm_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	linked_list_t *list;
@@ -92,7 +92,7 @@ static bool enumerate_dns(enumerator_t *this,
 }
 
 METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
-	private_nm_handler_t *this, identification_t *server, linked_list_t *vips)
+	private_nm_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips)
 {
 	if (vips->get_count(vips))
 	{
@@ -185,4 +185,3 @@ nm_handler_t *nm_handler_create()
 
 	return &this->public;
 }
-
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
index 3783ac9f0..1c0a4058d 100644
--- a/src/charon-svc/Makefile.in
+++ b/src/charon-svc/Makefile.in
@@ -197,6 +197,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -257,10 +258,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -334,6 +337,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in
index 790c8ef8f..d6e1c471c 100644
--- a/src/charon-systemd/Makefile.in
+++ b/src/charon-systemd/Makefile.in
@@ -200,6 +200,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -260,10 +261,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -337,6 +340,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index 4a2136fc9..e391a5397 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -40,6 +40,17 @@
 #include <threading/rwlock.h>
 
 /**
+ * Default user and group
+ */
+#ifndef IPSEC_USER
+#define IPSEC_USER NULL
+#endif
+
+#ifndef IPSEC_GROUP
+#define IPSEC_GROUP NULL
+#endif
+
+/**
  * hook in library for debugging messages
  */
 extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
@@ -268,18 +279,20 @@ static int run()
  */
 static bool lookup_uid_gid()
 {
-#ifdef IPSEC_USER
-	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
+	char *name;
+
+	name = lib->settings->get_str(lib->settings, "%s.user", IPSEC_USER,
+								  lib->ns);
+	if (name && !lib->caps->resolve_uid(lib->caps, name))
 	{
 		return FALSE;
 	}
-#endif /* IPSEC_USER */
-#ifdef IPSEC_GROUP
-	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
+	name = lib->settings->get_str(lib->settings, "%s.group", IPSEC_GROUP,
+								  lib->ns);
+	if (name && !lib->caps->resolve_gid(lib->caps, name))
 	{
 		return FALSE;
 	}
-#endif /* IPSEC_GROUP */
 	return TRUE;
 }
 
@@ -365,7 +378,8 @@ int main(int argc, char *argv[])
 	lib->plugins->add_static_features(lib->plugins, lib->ns, features,
 							countof(features), TRUE, journal_reload, &journal);
 
-	if (!charon->initialize(charon, PLUGINS))
+	if (!charon->initialize(charon,
+			lib->settings->get_str(lib->settings, "%s.load", PLUGINS, lib->ns)))
 	{
 		sd_notifyf(0, "STATUS=charon initialization failed");
 		return SS_RC_INITIALIZATION_FAILED;
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index fe6606bc5..bff198ab8 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index a6770fc50..7c60f0ca8 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -276,6 +276,10 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
+	/* the authorize hook currently does not support RFC 7427 signature auth */
+	lib->settings->set_bool(lib->settings, "%s.signature_authentication", FALSE,
+							dmn_name);
+
 	/* make sure we log to the DAEMON facility by default */
 	lib->settings->set_int(lib->settings, "%s.syslog.daemon.default",
 			lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1,
diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c
index 2d9653837..74c0d3618 100644
--- a/src/charon-tkm/src/ees/ees_callbacks.c
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,11 +19,12 @@
 #include <tkm/constants.h>
 #include <tkm/types.h>
 
+#include "tkm.h"
 #include "ees_callbacks.h"
 
 void charon_esa_acquire(result_type *res, const sp_id_type sp_id)
 {
-	DBG1(DBG_KNL, "ees: acquire received for reqid {%d}", sp_id);
+	DBG1(DBG_KNL, "ees: acquire received for reqid %u", sp_id);
 	hydra->kernel_interface->acquire(hydra->kernel_interface, sp_id, NULL,
 									 NULL);
 	*res = TKM_OK;
@@ -33,8 +34,19 @@ void charon_esa_expire(result_type *res, const sp_id_type sp_id,
 					   const esp_spi_type spi_rem, const protocol_type protocol,
 					   const expiry_flag_type hard)
 {
-	DBG1(DBG_KNL, "ees: expire received for reqid {%d}", sp_id);
-	hydra->kernel_interface->expire(hydra->kernel_interface, sp_id, protocol,
-									spi_rem, hard != 0);
+	host_t *dst;
+
+	dst = tkm->sad->get_dst_host(tkm->sad, sp_id, spi_rem, protocol);
 	*res = TKM_OK;
+	if (dst == NULL)
+	{
+		DBG3(DBG_KNL, "ees: destination host not found for reqid %u, spi %x, "
+			 "proto %u", sp_id, ntohl(spi_rem), protocol);
+		return;
+	}
+
+	DBG1(DBG_KNL, "ees: expire received for reqid %u, spi %x, dst %H", sp_id,
+		 ntohl(spi_rem), dst);
+	hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+									spi_rem, dst, hard != 0);
 }
diff --git a/src/charon-tkm/src/tkm/tkm.c b/src/charon-tkm/src/tkm/tkm.c
index 61eb6056c..333b699a0 100644
--- a/src/charon-tkm/src/tkm/tkm.c
+++ b/src/charon-tkm/src/tkm/tkm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
@@ -95,6 +95,7 @@ bool tkm_init()
 		.public = {
 			.idmgr = tkm_id_manager_create(limits),
 			.chunk_map = tkm_chunk_map_create(),
+			.sad = tkm_kernel_sad_create(),
 		},
 	);
 	tkm = &this->public;
@@ -114,6 +115,7 @@ void tkm_deinit()
 	private_tkm_t *this = (private_tkm_t*)tkm;
 	this->public.idmgr->destroy(this->public.idmgr);
 	this->public.chunk_map->destroy(this->public.chunk_map);
+	this->public.sad->destroy(this->public.sad);
 
 	ees_server_finalize();
 
diff --git a/src/charon-tkm/src/tkm/tkm.h b/src/charon-tkm/src/tkm/tkm.h
index fb5acd117..4aed08602 100644
--- a/src/charon-tkm/src/tkm/tkm.h
+++ b/src/charon-tkm/src/tkm/tkm.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
@@ -72,6 +72,7 @@
 
 #include "tkm_id_manager.h"
 #include "tkm_chunk_map.h"
+#include "tkm_kernel_sad.h"
 
 typedef struct tkm_t tkm_t;
 
@@ -90,6 +91,11 @@ struct tkm_t {
 	 */
 	tkm_chunk_map_t *chunk_map;
 
+	/**
+	 * CHILD/ESP SA database.
+	 */
+	tkm_kernel_sad_t *sad;
+
 };
 
 /**
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 67db5e6d8..c4953b6aa 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -41,7 +41,7 @@ struct private_tkm_diffie_hellman_t {
 	/**
 	 * Diffie Hellman group number.
 	 */
-	u_int16_t group;
+	diffie_hellman_group_t group;
 
 	/**
 	 * Diffie Hellman public value.
@@ -55,30 +55,29 @@ struct private_tkm_diffie_hellman_t {
 
 };
 
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
 	private_tkm_diffie_hellman_t *this, chunk_t *value)
 {
 	sequence_to_chunk(this->pubvalue.data, this->pubvalue.size, value);
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
 	private_tkm_diffie_hellman_t *this, chunk_t *secret)
 {
 	*secret = chunk_empty;
-	return SUCCESS;
+	return TRUE;
 }
 
 
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
 	private_tkm_diffie_hellman_t *this, chunk_t value)
 {
-	// TODO: unvoid this function
-
 	dh_pubvalue_type othervalue;
 	othervalue.size = value.len;
 	memcpy(&othervalue.data, value.ptr, value.len);
 
-	ike_dh_generate_key(this->context_id, othervalue);
+	return ike_dh_generate_key(this->context_id, othervalue) == TKM_OK;
 }
 
 METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.c~ b/src/charon-tkm/src/tkm/tkm_encoder.c~
new file mode 100644
index 000000000..145615f14
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_encoder.c~
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#include "tkm_encoder.h"
+
+/**
+ * Build the SHA1 hash of pubkey(info) ASN.1 data.
+ */
+static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
+{
+	hasher_t *hasher;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash))
+	{
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+			 "fingerprinting failed");
+		DESTROY_IF(hasher);
+		chunk_free(&pubkey);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	chunk_free(&pubkey);
+	return TRUE;
+}
+
+/**
+ * Encode the public key blob into subjectPublicKeyInfo.
+ */
+static bool build_pub_info(chunk_t *encoding, va_list args)
+{
+	chunk_t blob;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+						   CRED_PART_END))
+	{
+		*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+							  asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+							  asn1_bitstring("c", blob, 0));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKeyInfo object.
+ */
+static bool build_info_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t pubkey;
+
+	if (build_pub_info(&pubkey, args))
+	{
+		return hash_pubkey(pubkey, encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKey object.
+ */
+static bool build_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t blob;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+						   CRED_PART_END))
+	{
+		return hash_pubkey(chunk_clone(blob), encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						va_list args)
+{
+	switch (type)
+	{
+		case KEYID_PUBKEY_INFO_SHA1:
+			return build_info_sha1(encoding, args);
+		case KEYID_PUBKEY_SHA1:
+			return build_sha1(encoding, args);
+		default:
+			return FALSE;
+	}
+}
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c
index 0fadf1acf..e6d571b83 100644
--- a/src/charon-tkm/src/tkm/tkm_id_manager.c
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.c
@@ -24,7 +24,7 @@
 ENUM_BEGIN(tkm_context_kind_names, TKM_CTX_NONCE, TKM_CTX_ESA,
 	"NONCE_CONTEXT",
 	"DH_CONTEXT",
-	"CC_CONTEXT"
+	"CC_CONTEXT",
 	"ISA_CONTEXT",
 	"AE_CONTEXT",
 	"ESA_CONTEXT");
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index dbeea93f2..734b1ec55 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
@@ -26,7 +26,6 @@
 #include "tkm_utils.h"
 #include "tkm_types.h"
 #include "tkm_keymat.h"
-#include "tkm_kernel_sad.h"
 #include "tkm_kernel_ipsec.h"
 
 /** From linux/in.h */
@@ -51,16 +50,11 @@ struct private_tkm_kernel_ipsec_t {
 	 */
 	rng_t *rng;
 
-	/**
-	 * CHILD/ESP SA database.
-	 */
-	tkm_kernel_sad_t *sad;
-
 };
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t *spi)
 {
 	bool result;
 
@@ -74,7 +68,6 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 		}
 	}
 
-	DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
 	result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
 								  (u_int8_t *)spi);
 	return result ? SUCCESS : FAILED;
@@ -82,7 +75,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
+	u_int16_t *cpi)
 {
 	return NOT_SUPPORTED;
 }
@@ -93,11 +86,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool _initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+	bool initiator, bool encap, bool esn, bool inbound, bool update,
+	linked_list_t* src_ts, linked_list_t* dst_ts)
 {
 	esa_info_t esa;
-	bool initiator;
 	esp_spi_type spi_loc, spi_rem;
 	host_t *local, *peer;
 	chunk_t *nonce_loc, *nonce_rem;
@@ -120,9 +112,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		return SUCCESS;
 	}
 
-	/* Initiator if encr_r is passed as enc_key to the inbound add_sa call */
-	/* TODO: does the new _initiator parameter have the same meaning? */
-	initiator = esa.is_encr_r && inbound;
 	if (initiator)
 	{
 		spi_loc = spi;
@@ -143,7 +132,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	}
 
 	esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
-	if (!this->sad->insert(this->sad, esa_id, peer, local, spi_loc, protocol))
+	if (!tkm->sad->insert(tkm->sad, reqid, esa_id, local, peer, spi_rem,
+						  protocol))
 	{
 		DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
 		goto sad_failure;
@@ -207,7 +197,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	return SUCCESS;
 
 failure:
-	this->sad->remove(this->sad, esa_id);
+	tkm->sad->remove(tkm->sad, esa_id);
 sad_failure:
 	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
 	chunk_free(&esa.nonce_i);
@@ -229,7 +219,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 {
 	esa_id_type esa_id;
 
-	esa_id = this->sad->get_esa_id(this->sad, src, dst, spi, protocol);
+	esa_id = tkm->sad->get_esa_id(tkm->sad, src, dst, spi, protocol);
 	if (esa_id)
 	{
 		DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
@@ -239,7 +229,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 			DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
 			return FAILED;
 		}
-		this->sad->remove(this->sad, esa_id);
+		tkm->sad->remove(tkm->sad, esa_id);
 		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
 	}
 	return SUCCESS;
@@ -350,7 +340,6 @@ METHOD(kernel_ipsec_t, destroy, void,
 	private_tkm_kernel_ipsec_t *this)
 {
 	DESTROY_IF(this->rng);
-	DESTROY_IF(this->sad);
 	free(this);
 }
 
@@ -380,15 +369,7 @@ tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
 				.destroy = _destroy,
 			},
 		},
-		.sad = tkm_kernel_sad_create(),
 	);
 
-	if (!this->sad)
-	{
-		DBG1(DBG_KNL, "unable to create SAD");
-		destroy(this);
-		return NULL;
-	}
-
 	return &this->public;
 }
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
index 360a47bdc..3394b58af 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
@@ -57,6 +57,11 @@ struct sad_entry_t {
 	esa_id_type esa_id;
 
 	/**
+	 * Reqid.
+	 */
+	u_int32_t reqid;
+
+	/**
 	 * Source address of CHILD SA.
 	 */
 	host_t *src;
@@ -109,6 +114,19 @@ static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src,
 }
 
 /**
+ * Find a list entry with given reqid, spi and proto values.
+ */
+static bool sad_entry_match_dst(sad_entry_t * const entry,
+								const u_int32_t * const reqid,
+								const u_int32_t * const spi,
+								const u_int8_t * const proto)
+{
+	return entry->reqid == *reqid &&
+		   entry->spi   == *spi &&
+		   entry->proto == *proto;
+}
+
+/**
  * Compare two SAD entries for equality.
  */
 static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
@@ -119,6 +137,7 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
 		return FALSE;
 	}
 	return left->esa_id == right->esa_id &&
+		   left->reqid == right->reqid &&
 		   left->src->ip_equals(left->src, right->src) &&
 		   left->dst->ip_equals(left->dst, right->dst) &&
 		   left->spi == right->spi && left->proto == right->proto;
@@ -126,14 +145,15 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
 
 METHOD(tkm_kernel_sad_t, insert, bool,
 	private_tkm_kernel_sad_t * const this, const esa_id_type esa_id,
-	const host_t * const src, const host_t * const dst, const u_int32_t spi,
-	const u_int8_t proto)
+	const u_int32_t reqid, const host_t * const src, const host_t * const dst,
+	const u_int32_t spi, const u_int8_t proto)
 {
 	status_t result;
 	sad_entry_t *new_entry;
 
 	INIT(new_entry,
 		 .esa_id = esa_id,
+		 .reqid = reqid,
 		 .src = (host_t *)src,
 		 .dst = (host_t *)dst,
 		 .spi = spi,
@@ -146,8 +166,9 @@ METHOD(tkm_kernel_sad_t, insert, bool,
 									new_entry);
 	if (result == NOT_FOUND)
 	{
-		DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, src: %H, dst: %H, "
-			 "spi: %x, proto: %u)", esa_id, src, dst, ntohl(spi), proto);
+		DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, reqid: %u, src: %H, "
+			 "dst: %H, spi: %x, proto: %u)", esa_id, reqid, src, dst,
+			 ntohl(spi), proto);
 		new_entry->src = src->clone((host_t *)src);
 		new_entry->dst = dst->clone((host_t *)dst);
 		this->data->insert_last(this->data, new_entry);
@@ -176,18 +197,44 @@ METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type,
 	if (res == SUCCESS && entry)
 	{
 		id = entry->esa_id;
-		DBG3(DBG_KNL, "getting ESA id of SAD entry (esa: %llu, src: %H, "
-			 "dst: %H, spi: %x, proto: %u)", id, src, dst, ntohl(spi),
-			 proto);
+		DBG3(DBG_KNL, "returning ESA id %llu of SAD entry (src: %H, dst: %H, "
+			 "spi: %x, proto: %u)", id, src, dst, ntohl(spi), proto);
 	}
 	else
 	{
-		DBG3(DBG_KNL, "no SAD entry found");
+		DBG3(DBG_KNL, "no SAD entry found for src %H, dst %H, spi %x, proto %u",
+			 src, dst, ntohl(spi), proto);
 	}
 	this->mutex->unlock(this->mutex);
 	return id;
 }
 
+METHOD(tkm_kernel_sad_t, get_dst_host, host_t *,
+	private_tkm_kernel_sad_t * const this, const u_int32_t reqid,
+	const u_int32_t spi, const u_int8_t proto)
+{
+	host_t *dst = NULL;
+	sad_entry_t *entry = NULL;
+
+	this->mutex->lock(this->mutex);
+	const status_t res = this->data->find_first(this->data,
+												(linked_list_match_t)sad_entry_match_dst,
+												(void**)&entry, &reqid, &spi, &proto);
+	if (res == SUCCESS && entry)
+	{
+		dst = entry->dst;
+		DBG3(DBG_KNL, "returning destination host %H of SAD entry (reqid: %u,"
+			 " spi: %x, proto: %u)", dst, reqid, ntohl(spi), proto);
+	}
+	else
+	{
+		DBG3(DBG_KNL, "no SAD entry found for reqid %u, spi %x, proto: %u",
+			 reqid, ntohl(spi), proto);
+	}
+	this->mutex->unlock(this->mutex);
+	return dst;
+}
+
 METHOD(tkm_kernel_sad_t, _remove, bool,
 	private_tkm_kernel_sad_t * const this, const esa_id_type esa_id)
 {
@@ -242,6 +289,7 @@ tkm_kernel_sad_t *tkm_kernel_sad_create()
 		.public = {
 			.insert = _insert,
 			.get_esa_id = _get_esa_id,
+			.get_dst_host = _get_dst_host,
 			.remove = __remove,
 			.destroy = _destroy,
 		},
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
index 0194cd3bc..38b19dd01 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
@@ -37,6 +37,7 @@ struct tkm_kernel_sad_t {
 	 * Insert new SAD entry with specified parameters.
 	 *
 	 * @param esa_id		ESP SA context identifier
+	 * @param reqid			reqid of the SA
 	 * @param src			source address of CHILD SA
 	 * @param dst			destination address of CHILD SA
 	 * @param spi			SPI of CHILD SA
@@ -44,8 +45,9 @@ struct tkm_kernel_sad_t {
 	 * @return				TRUE if entry was inserted, FALSE otherwise
 	 */
 	bool (*insert)(tkm_kernel_sad_t * const this, const esa_id_type esa_id,
-				   const host_t * const src, const host_t * const dst,
-				   const u_int32_t spi, const u_int8_t proto);
+				   const u_int32_t reqid, const host_t * const src,
+				   const host_t * const dst, const u_int32_t spi,
+				   const u_int8_t proto);
 
 	/**
 	 * Get ESA id for entry with given parameters.
@@ -61,6 +63,17 @@ struct tkm_kernel_sad_t {
 				 const u_int32_t spi, const u_int8_t proto);
 
 	/**
+	 * Get destination host for entry with given parameters.
+	 *
+	 * @param reqid			reqid of CHILD SA
+	 * @param spi			SPI of CHILD SA
+	 * @param proto			protocol of CHILD SA (ESP/AH)
+	 * @return				destination host of entry if found, NULL otherwise
+	 */
+	host_t * (*get_dst_host)(tkm_kernel_sad_t * const this,
+			  const u_int32_t reqid, const u_int32_t spi, const u_int8_t proto);
+
+	/**
 	 * Remove entry with given ESA id from SAD.
 	 *
 	 * @param esa_id		ESA identifier of entry to remove
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 772fac8b0..80721fafe 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyrigth (C) 2012 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
@@ -17,6 +18,7 @@
 #include <daemon.h>
 #include <tkm/constants.h>
 #include <tkm/client.h>
+#include <crypto/hashers/hash_algorithm_set.h>
 
 #include "tkm.h"
 #include "tkm_types.h"
@@ -71,6 +73,10 @@ struct private_tkm_keymat_t {
 	 */
 	chunk_t other_init_msg;
 
+	/**
+	 * Set of hash algorithms supported by peer for signature authentication
+	 */
+	hash_algorithm_set_t *hash_algorithms;
 };
 
 /**
@@ -417,6 +423,26 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
 	return FALSE;
 }
 
+METHOD(keymat_v2_t, hash_algorithm_supported, bool,
+	private_tkm_keymat_t *this, hash_algorithm_t hash)
+{
+	if (!this->hash_algorithms)
+	{
+		return FALSE;
+	}
+	return this->hash_algorithms->contains(this->hash_algorithms, hash);
+}
+
+METHOD(keymat_v2_t, add_hash_algorithm, void,
+	private_tkm_keymat_t *this, hash_algorithm_t hash)
+{
+	if (!this->hash_algorithms)
+	{
+		this->hash_algorithms = hash_algorithm_set_create();
+	}
+	this->hash_algorithms->add(this->hash_algorithms, hash);
+}
+
 METHOD(keymat_t, destroy, void,
 	private_tkm_keymat_t *this)
 {
@@ -435,6 +461,7 @@ METHOD(keymat_t, destroy, void,
 		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id);
 	}
 
+	DESTROY_IF(this->hash_algorithms);
 	DESTROY_IF(this->aead_in);
 	DESTROY_IF(this->aead_out);
 	chunk_free(&this->auth_payload);
@@ -488,6 +515,8 @@ tkm_keymat_t *tkm_keymat_create(bool initiator)
 				.get_skd = _get_skd,
 				.get_auth_octets = _get_auth_octets,
 				.get_psk_sig = _get_psk_sig,
+				.add_hash_algorithm = _add_hash_algorithm,
+				.hash_algorithm_supported = _hash_algorithm_supported,
 			},
 			.get_isa_id = _get_isa_id,
 			.set_auth_payload = _set_auth_payload,
diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c
index b2692a586..bb1218266 100644
--- a/src/charon-tkm/src/tkm/tkm_listener.c
+++ b/src/charon-tkm/src/tkm/tkm_listener.c
@@ -240,6 +240,8 @@ METHOD(listener_t, authorize, bool,
 		return TRUE;
 	}
 
+	*success = FALSE;
+
 	keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
 	isa_id = keymat->get_isa_id(keymat);
 	DBG1(DBG_IKE, "TKM authorize listener called for ISA context %llu", isa_id);
@@ -248,28 +250,26 @@ METHOD(listener_t, authorize, bool,
 	if (!cc_id)
 	{
 		DBG1(DBG_IKE, "unable to acquire CC context id");
-		*success = FALSE;
 		return TRUE;
 	}
 	if (!build_cert_chain(ike_sa, cc_id))
 	{
 		DBG1(DBG_IKE, "unable to build certificate chain");
-		*success = FALSE;
-		return TRUE;
+		goto cc_reset;
 	}
 
 	auth = keymat->get_auth_payload(keymat);
 	if (!auth->ptr)
 	{
 		DBG1(DBG_IKE, "no AUTHENTICATION data available");
-		*success = FALSE;
+		goto cc_reset;
 	}
 
 	other_init_msg = keymat->get_peer_init_msg(keymat);
 	if (!other_init_msg->ptr)
 	{
 		DBG1(DBG_IKE, "no peer init message available");
-		*success = FALSE;
+		goto cc_reset;
 	}
 
 	chunk_to_sequence(auth, &signature, sizeof(signature_type));
@@ -279,7 +279,7 @@ METHOD(listener_t, authorize, bool,
 	{
 		DBG1(DBG_IKE, "TKM based authentication failed"
 			 " for ISA context %llu", isa_id);
-		*success = FALSE;
+		goto cc_reset;
 	}
 	else
 	{
@@ -288,7 +288,13 @@ METHOD(listener_t, authorize, bool,
 		*success = TRUE;
 	}
 
-	return TRUE;
+cc_reset:
+	if (ike_cc_reset(cc_id) != TKM_OK)
+	{
+		DBG1(DBG_IKE, "unable to reset CC context %llu", cc_id);
+	}
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_CC, cc_id);
+	return TRUE; /* stay registered */
 }
 
 METHOD(listener_t, message, bool,
diff --git a/src/charon-tkm/tests/diffie_hellman_tests.c b/src/charon-tkm/tests/diffie_hellman_tests.c
index 89658a770..5ef6f41ab 100644
--- a/src/charon-tkm/tests/diffie_hellman_tests.c
+++ b/src/charon-tkm/tests/diffie_hellman_tests.c
@@ -40,7 +40,7 @@ START_TEST(test_dh_get_my_pubvalue)
 	fail_if(!dh, "Unable to create DH");
 
 	chunk_t value;
-	dh->dh.get_my_public_value(&dh->dh, &value);
+	ck_assert(dh->dh.get_my_public_value(&dh->dh, &value));
 	dh->dh.destroy(&dh->dh);
 
 	fail_if(value.ptr == NULL, "Pubvalue is NULL");
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
index 6f0b396d3..b9ab3cb5e 100644
--- a/src/charon-tkm/tests/kernel_sad_tests.c
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
@@ -34,7 +34,7 @@ START_TEST(test_insert)
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
 
-	fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50),
 				"Error inserting SAD entry");
 
 	sad->destroy(sad);
@@ -47,9 +47,9 @@ START_TEST(test_insert_duplicate)
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
 
-	fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50),
 				"Error inserting SAD entry");
-	fail_if(sad->insert(sad, 1, addr, addr, 42, 50),
+	fail_if(sad->insert(sad, 1, 2, addr, addr, 42, 50),
 			"Expected error inserting duplicate entry");
 
 	sad->destroy(sad);
@@ -61,7 +61,7 @@ START_TEST(test_get_esa_id)
 {
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
-	fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
 				"Error inserting SAD entry");
 	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
 				"Error getting esa id");
@@ -81,11 +81,34 @@ START_TEST(test_get_esa_id_nonexistent)
 }
 END_TEST
 
+START_TEST(test_get_dst_host)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+
+	host_t *dst = sad->get_dst_host(sad, 54, 42, 50);
+	fail_unless(addr->equals(addr, dst), "Error getting dst host");
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_get_dst_host_nonexistent)
+{
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->get_dst_host(sad, 1, 12, 50) == NULL,
+				"Got dst for nonexistent SAD entry");
+	sad->destroy(sad);
+}
+END_TEST
+
 START_TEST(test_remove)
 {
 	host_t *addr = host_create_from_string("127.0.0.1", 1024);
 	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
-	fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
+	fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
 				"Error inserting SAD entry");
 	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
 				"Error getting esa id");
@@ -128,6 +151,11 @@ Suite *make_kernel_sad_tests()
 	tcase_add_test(tc, test_get_esa_id_nonexistent);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("get_dst_host");
+	tcase_add_test(tc, test_get_dst_host);
+	tcase_add_test(tc, test_get_dst_host_nonexistent);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("remove");
 	tcase_add_test(tc, test_remove);
 	tcase_add_test(tc, test_remove_nonexistent);
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index 1982671d3..889965a78 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -53,8 +53,8 @@ START_TEST(test_derive_ike_keys)
 
 	/* Use the same pubvalue for both sides */
 	chunk_t pubvalue;
-	dh->dh.get_my_public_value(&dh->dh, &pubvalue);
-	dh->dh.set_other_public_value(&dh->dh, pubvalue);
+	ck_assert(dh->dh.get_my_public_value(&dh->dh, &pubvalue));
+	ck_assert(dh->dh.set_other_public_value(&dh->dh, pubvalue));
 
 	fail_unless(keymat->keymat_v2.derive_ike_keys(&keymat->keymat_v2, proposal,
 				&dh->dh, nonce, nonce, ike_sa_id, PRF_UNDEFINED, chunk_empty),
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
index 80894a133..669f4d500 100644
--- a/src/charon-tkm/tests/tests.c
+++ b/src/charon-tkm/tests/tests.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2013 Tobias Brunner
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
  * Copyright (C) 2012 Adrian-Ken Rueegsegger
  * Hochschule fuer Technik Rapperswil
  *
@@ -53,7 +53,7 @@ static bool test_runner_init(bool init)
 		libhydra_init();
 		libcharon_init();
 		lib->settings->set_int(lib->settings,
-							   "test_runner.filelog.stdout.default", 0);
+							   "test-runner.filelog.stdout.default", 0);
 		charon->load_loggers(charon, NULL, FALSE);
 
 		/* Register TKM specific plugins */
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index f4dcf4fb0..e1cc5c202 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -199,6 +199,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -259,10 +260,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -336,6 +339,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 86e7ca6dd..4e4134625 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -266,6 +266,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -326,10 +327,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -403,6 +406,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index e3c2e4335..78438d8f5 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -213,6 +213,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -273,10 +274,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -350,6 +353,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/conftest/actions.c b/src/conftest/actions.c
index 7532e95cf..474672ca1 100644
--- a/src/conftest/actions.c
+++ b/src/conftest/actions.c
@@ -117,19 +117,20 @@ static job_requeue_t rekey_child(char *config)
 	enumerator_t *enumerator, *children;
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
-	u_int32_t reqid = 0, spi = 0;
-	protocol_id_t proto = PROTO_ESP;
+	u_int32_t spi, proto;
+	host_t *dst = NULL;
 
 	enumerator = charon->controller->create_ike_sa_enumerator(
 													charon->controller, TRUE);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
 		children = ike_sa->create_child_sa_enumerator(ike_sa);
-		while (children->enumerate(children, (void**)&child_sa))
+		while (children->enumerate(children, &child_sa))
 		{
 			if (streq(config, child_sa->get_name(child_sa)))
 			{
-				reqid = child_sa->get_reqid(child_sa);
+				dst = ike_sa->get_my_host(ike_sa);
+				dst = dst->clone(dst);
 				proto = child_sa->get_protocol(child_sa);
 				spi = child_sa->get_spi(child_sa, TRUE);
 				break;
@@ -138,11 +139,12 @@ static job_requeue_t rekey_child(char *config)
 		children->destroy(children);
 	}
 	enumerator->destroy(enumerator);
-	if (reqid)
+	if (dst)
 	{
 		DBG1(DBG_CFG, "starting rekey of CHILD_SA '%s'", config);
 		lib->processor->queue_job(lib->processor,
-						(job_t*)rekey_child_sa_job_create(reqid, proto, spi));
+						(job_t*)rekey_child_sa_job_create(proto, spi, dst));
+		dst->destroy(dst);
 	}
 	else
 	{
@@ -236,7 +238,7 @@ static job_requeue_t close_child(char *config)
 		{
 			if (streq(config, child_sa->get_name(child_sa)))
 			{
-				id = child_sa->get_reqid(child_sa);
+				id = child_sa->get_unique_id(child_sa);
 				break;
 			}
 		}
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 56ac3447f..2ecf61194 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -234,6 +234,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -294,10 +295,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,6 +374,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index d791c089d..df7ec4703 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -629,7 +629,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
 	linked_list_t *list;
 	iface_t *iface;
 	host_t *addr;
-	char buf[64];
+	char buf[64], *fmt = "%H";
 
 	if (!rb_block_given_p())
 	{
@@ -645,7 +645,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
 	enumerator->destroy(enumerator);
 	while (list->remove_first(list, (void**)&addr) == SUCCESS)
 	{
-		snprintf(buf, sizeof(buf), "%H", addr);
+		snprintf(buf, sizeof(buf), fmt, addr);
 		addr->destroy(addr);
 		rb_yield(rb_str_new2(buf));
 	}
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 042c46cab..64be6ac4f 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 526c7c46e..d4dafcb0c 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -176,6 +176,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -236,10 +237,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -313,6 +316,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 9ba9bd842..d2d0c2edd 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.2.1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.3.0" "strongSwan"
 .
 .SH NAME
 .
@@ -210,15 +210,18 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
 .
 .TP
 .B "rereadcacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
-directory and adds them to the list of Certification Authority (CA)
-certificates.
+removes previously loaded CA certificates, reads all certificate files
+contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
+of Certification Authority (CA) certificates. This does not affect certificates
+explicitly defined in a
+.BR ipsec.conf (5)
+ca section, which may be separately updated using the \fBupdate\fP command.
 .
 .TP
 .B "rereadaacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
-directory and adds them to the list of Authorization Authority (AA)
-certificates.
+removes previously loaded AA certificates, reads all certificate files
+contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
+of Authorization Authority (AA) certificates.
 .
 .TP
 .B "rereadocspcerts"
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
index 210d74ef8..0aef8c031 100644
--- a/src/ipsec/_ipsec.8.in
+++ b/src/ipsec/_ipsec.8.in
@@ -210,15 +210,18 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
 .
 .TP
 .B "rereadcacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
-directory and adds them to the list of Certification Authority (CA)
-certificates.
+removes previously loaded CA certificates, reads all certificate files
+contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
+of Certification Authority (CA) certificates. This does not affect certificates
+explicitly defined in a
+.BR ipsec.conf (5)
+ca section, which may be separately updated using the \fBupdate\fP command.
 .
 .TP
 .B "rereadaacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
-directory and adds them to the list of Authorization Authority (AA)
-certificates.
+removes previously loaded AA certificates, reads all certificate files
+contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
+of Authorization Authority (AA) certificates.
 .
 .TP
 .B "rereadocspcerts"
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 4212ee87a..5eef6fdc6 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -3,6 +3,10 @@ include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
 libcharon_la_SOURCES := \
+attributes/attributes.c attributes/attributes.h \
+attributes/attribute_provider.h attributes/attribute_handler.h \
+attributes/attribute_manager.c attributes/attribute_manager.h \
+attributes/mem_pool.c attributes/mem_pool.h \
 bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
 bus/listeners/logger.h \
@@ -62,6 +66,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
+processing/jobs/initiate_tasks_job.c processing/jobs/initiate_tasks_job.h \
 sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 sa/eap/eap_manager.c sa/eap/eap_manager.h \
 sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
@@ -72,6 +77,7 @@ sa/ike_sa.c sa/ike_sa.h \
 sa/ike_sa_id.c sa/ike_sa_id.h \
 sa/keymat.h sa/keymat.c \
 sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/child_sa_manager.c sa/child_sa_manager.h \
 sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
@@ -97,6 +103,7 @@ sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
 sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
 sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
 sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
 
@@ -238,4 +245,3 @@ LOCAL_PRELINK_MODULE := false
 LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
 
 include $(BUILD_SHARED_LIBRARY)
-
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index e98f5e137..cd81a5eee 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -1,6 +1,10 @@
 ipseclib_LTLIBRARIES = libcharon.la
 
 libcharon_la_SOURCES = \
+attributes/attributes.c attributes/attributes.h \
+attributes/attribute_provider.h attributes/attribute_handler.h \
+attributes/attribute_manager.c attributes/attribute_manager.h \
+attributes/mem_pool.c attributes/mem_pool.h \
 bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
 bus/listeners/logger.h \
@@ -60,6 +64,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
+processing/jobs/initiate_tasks_job.c processing/jobs/initiate_tasks_job.h \
 sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 sa/eap/eap_manager.c sa/eap/eap_manager.h \
 sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
@@ -70,6 +75,7 @@ sa/ike_sa.c sa/ike_sa.h \
 sa/ike_sa_id.c sa/ike_sa_id.h \
 sa/keymat.h sa/keymat.c \
 sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/child_sa_manager.c sa/child_sa_manager.h \
 sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
@@ -96,6 +102,7 @@ sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
 sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
 sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
 sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
 endif
@@ -203,6 +210,20 @@ if MONOLITHIC
 endif
 endif
 
+if USE_CONNMARK
+  SUBDIRS += plugins/connmark
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/connmark/libstrongswan-connmark.la
+endif
+endif
+
+if USE_FORECAST
+  SUBDIRS += plugins/forecast
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/forecast/libstrongswan-forecast.la
+endif
+endif
+
 if USE_FARP
   SUBDIRS += plugins/farp
 if MONOLITHIC
@@ -595,13 +616,6 @@ if MONOLITHIC
 endif
 endif
 
-if USE_UNIT_TESTS
-  SUBDIRS += plugins/unit_tester
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/unit_tester/libstrongswan-unit-tester.la
-endif
-endif
-
 if USE_XAUTH_GENERIC
   SUBDIRS += plugins/xauth_generic
 if MONOLITHIC
@@ -629,3 +643,29 @@ if MONOLITHIC
   libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la
 endif
 endif
+
+if USE_RESOLVE
+  SUBDIRS += plugins/resolve
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
+endif
+endif
+
+if USE_ATTR
+  SUBDIRS += plugins/attr
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/attr/libstrongswan-attr.la
+endif
+endif
+
+if USE_ATTR_SQL
+  SUBDIRS += plugins/attr_sql
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/attr_sql/libstrongswan-attr-sql.la
+endif
+endif
+
+if MONOLITHIC
+  SUBDIRS += .
+endif
+SUBDIRS += tests
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 4d89794b5..3d425e0b4 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -98,6 +98,7 @@ host_triplet = @host@
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
 
@@ -146,124 +147,132 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_11 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
 @USE_SOCKET_WIN_TRUE@am__append_12 = plugins/socket_win
 @MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_13 = plugins/socket_win/libstrongswan-socket-win.la
-@USE_FARP_TRUE@am__append_14 = plugins/farp
-@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_15 = plugins/farp/libstrongswan-farp.la
-@USE_STROKE_TRUE@am__append_16 = plugins/stroke
-@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_17 = plugins/stroke/libstrongswan-stroke.la
-@USE_VICI_TRUE@am__append_18 = plugins/vici
-@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_19 = plugins/vici/libstrongswan-vici.la
-@USE_SMP_TRUE@am__append_20 = plugins/smp
-@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_21 = plugins/smp/libstrongswan-smp.la
-@USE_SQL_TRUE@am__append_22 = plugins/sql
-@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_23 = plugins/sql/libstrongswan-sql.la
-@USE_DNSCERT_TRUE@am__append_24 = plugins/dnscert
-@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_25 = plugins/dnscert/libstrongswan-dnscert.la
-@USE_IPSECKEY_TRUE@am__append_26 = plugins/ipseckey
-@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_27 = plugins/ipseckey/libstrongswan-ipseckey.la
-@USE_UPDOWN_TRUE@am__append_28 = plugins/updown
-@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_29 = plugins/updown/libstrongswan-updown.la
-@USE_EXT_AUTH_TRUE@am__append_30 = plugins/ext_auth
-@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_31 = plugins/ext_auth/libstrongswan-ext-auth.la
-@USE_EAP_IDENTITY_TRUE@am__append_32 = plugins/eap_identity
-@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_33 = plugins/eap_identity/libstrongswan-eap-identity.la
-@USE_EAP_SIM_TRUE@am__append_34 = plugins/eap_sim
-@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_35 = plugins/eap_sim/libstrongswan-eap-sim.la
-@USE_EAP_SIM_FILE_TRUE@am__append_36 = plugins/eap_sim_file
-@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_37 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIM_PCSC_TRUE@am__append_38 = plugins/eap_sim_pcsc
-@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_39 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_40 = plugins/eap_simaka_sql
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_41 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_42 = plugins/eap_simaka_pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_43 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_44 = plugins/eap_simaka_reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_45 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_46 = plugins/eap_aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_47 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_48 = plugins/eap_aka_3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_49 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_50 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_51 = plugins/eap_md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_52 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_53 = plugins/eap_gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_54 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_55 = plugins/eap_mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_56 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_DYNAMIC_TRUE@am__append_57 = plugins/eap_dynamic
-@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_58 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
-@USE_EAP_RADIUS_TRUE@am__append_59 = plugins/eap_radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_60 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_EAP_TLS_TRUE@am__append_61 = plugins/eap_tls
-@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_62 = plugins/eap_tls/libstrongswan-eap-tls.la
-@USE_EAP_TTLS_TRUE@am__append_63 = plugins/eap_ttls
-@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_64 = plugins/eap_ttls/libstrongswan-eap-ttls.la
-@USE_EAP_PEAP_TRUE@am__append_65 = plugins/eap_peap
-@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_66 = plugins/eap_peap/libstrongswan-eap-peap.la
-@USE_EAP_TNC_TRUE@am__append_67 = plugins/eap_tnc
-@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_68 = plugins/eap_tnc/libstrongswan-eap-tnc.la
-@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_69 = $(top_builddir)/src/libtls/libtls.la
-@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_70 = $(top_builddir)/src/libradius/libradius.la
-@USE_TNC_IFMAP_TRUE@am__append_71 = plugins/tnc_ifmap
-@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_72 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
-@USE_TNC_PDP_TRUE@am__append_73 = plugins/tnc_pdp
-@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_74 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
-@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_75 = $(top_builddir)/src/libtnccs/libtnccs.la
-@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_77 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_78 = plugins/medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_79 = plugins/medcli/libstrongswan-medcli.la
-@USE_DHCP_TRUE@am__append_80 = plugins/dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_81 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_OSX_ATTR_TRUE@am__append_82 = plugins/osx_attr
-@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_83 = plugins/osx_attr/libstrongswan-osx-attr.la
-@USE_ANDROID_DNS_TRUE@am__append_84 = plugins/android_dns
-@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_85 = plugins/android_dns/libstrongswan-android-dns.la
-@USE_ANDROID_LOG_TRUE@am__append_86 = plugins/android_log
-@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_87 = plugins/android_log/libstrongswan-android-log.la
-@USE_MAEMO_TRUE@am__append_88 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_89 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_90 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_91 = plugins/ha/libstrongswan-ha.la
-@USE_KERNEL_LIBIPSEC_TRUE@am__append_92 = plugins/kernel_libipsec
-@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_93 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
-@USE_KERNEL_WFP_TRUE@am__append_94 = plugins/kernel_wfp
-@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_95 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
-@USE_KERNEL_IPH_TRUE@am__append_96 = plugins/kernel_iph
-@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_97 = plugins/kernel_iph/libstrongswan-kernel-iph.la
-@USE_WHITELIST_TRUE@am__append_98 = plugins/whitelist
-@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_99 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_LOOKIP_TRUE@am__append_100 = plugins/lookip
-@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_101 = plugins/lookip/libstrongswan-lookip.la
-@USE_ERROR_NOTIFY_TRUE@am__append_102 = plugins/error_notify
-@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_103 = plugins/error_notify/libstrongswan-error-notify.la
-@USE_CERTEXPIRE_TRUE@am__append_104 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_105 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_SYSTIME_FIX_TRUE@am__append_106 = plugins/systime_fix
-@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_107 = plugins/systime_fix/libstrongswan-systime-fix.la
-@USE_LED_TRUE@am__append_108 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_109 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_110 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_111 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_112 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_113 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_114 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_115 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_116 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_117 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_118 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_119 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_120 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_121 = plugins/unity/libstrongswan-unity.la
-@USE_UNIT_TESTS_TRUE@am__append_122 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_123 = plugins/unit_tester/libstrongswan-unit-tester.la
-@USE_XAUTH_GENERIC_TRUE@am__append_124 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_125 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_126 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_127 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_128 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_129 = plugins/xauth_pam/libstrongswan-xauth-pam.la
-@USE_XAUTH_NOAUTH_TRUE@am__append_130 = plugins/xauth_noauth
-@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_131 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+@USE_CONNMARK_TRUE@am__append_14 = plugins/connmark
+@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_15 = plugins/connmark/libstrongswan-connmark.la
+@USE_FORECAST_TRUE@am__append_16 = plugins/forecast
+@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_17 = plugins/forecast/libstrongswan-forecast.la
+@USE_FARP_TRUE@am__append_18 = plugins/farp
+@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_19 = plugins/farp/libstrongswan-farp.la
+@USE_STROKE_TRUE@am__append_20 = plugins/stroke
+@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_21 = plugins/stroke/libstrongswan-stroke.la
+@USE_VICI_TRUE@am__append_22 = plugins/vici
+@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_23 = plugins/vici/libstrongswan-vici.la
+@USE_SMP_TRUE@am__append_24 = plugins/smp
+@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_25 = plugins/smp/libstrongswan-smp.la
+@USE_SQL_TRUE@am__append_26 = plugins/sql
+@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_27 = plugins/sql/libstrongswan-sql.la
+@USE_DNSCERT_TRUE@am__append_28 = plugins/dnscert
+@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_29 = plugins/dnscert/libstrongswan-dnscert.la
+@USE_IPSECKEY_TRUE@am__append_30 = plugins/ipseckey
+@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_31 = plugins/ipseckey/libstrongswan-ipseckey.la
+@USE_UPDOWN_TRUE@am__append_32 = plugins/updown
+@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_33 = plugins/updown/libstrongswan-updown.la
+@USE_EXT_AUTH_TRUE@am__append_34 = plugins/ext_auth
+@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_35 = plugins/ext_auth/libstrongswan-ext-auth.la
+@USE_EAP_IDENTITY_TRUE@am__append_36 = plugins/eap_identity
+@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_37 = plugins/eap_identity/libstrongswan-eap-identity.la
+@USE_EAP_SIM_TRUE@am__append_38 = plugins/eap_sim
+@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_39 = plugins/eap_sim/libstrongswan-eap-sim.la
+@USE_EAP_SIM_FILE_TRUE@am__append_40 = plugins/eap_sim_file
+@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_41 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+@USE_EAP_SIM_PCSC_TRUE@am__append_42 = plugins/eap_sim_pcsc
+@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_43 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_44 = plugins/eap_simaka_sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_45 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_46 = plugins/eap_simaka_pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_47 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_48 = plugins/eap_simaka_reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_49 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_50 = plugins/eap_aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_51 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_52 = plugins/eap_aka_3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_53 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_54 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_55 = plugins/eap_md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_56 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_57 = plugins/eap_gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_58 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_59 = plugins/eap_mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_60 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_DYNAMIC_TRUE@am__append_61 = plugins/eap_dynamic
+@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_62 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+@USE_EAP_RADIUS_TRUE@am__append_63 = plugins/eap_radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_64 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_EAP_TLS_TRUE@am__append_65 = plugins/eap_tls
+@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_66 = plugins/eap_tls/libstrongswan-eap-tls.la
+@USE_EAP_TTLS_TRUE@am__append_67 = plugins/eap_ttls
+@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_68 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+@USE_EAP_PEAP_TRUE@am__append_69 = plugins/eap_peap
+@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_70 = plugins/eap_peap/libstrongswan-eap-peap.la
+@USE_EAP_TNC_TRUE@am__append_71 = plugins/eap_tnc
+@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_72 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_73 = $(top_builddir)/src/libtls/libtls.la
+@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_74 = $(top_builddir)/src/libradius/libradius.la
+@USE_TNC_IFMAP_TRUE@am__append_75 = plugins/tnc_ifmap
+@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_76 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+@USE_TNC_PDP_TRUE@am__append_77 = plugins/tnc_pdp
+@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_78 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_79 = $(top_builddir)/src/libtnccs/libtnccs.la
+@USE_MEDSRV_TRUE@am__append_80 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_83 = plugins/medcli/libstrongswan-medcli.la
+@USE_DHCP_TRUE@am__append_84 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_85 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_OSX_ATTR_TRUE@am__append_86 = plugins/osx_attr
+@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_87 = plugins/osx_attr/libstrongswan-osx-attr.la
+@USE_ANDROID_DNS_TRUE@am__append_88 = plugins/android_dns
+@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_89 = plugins/android_dns/libstrongswan-android-dns.la
+@USE_ANDROID_LOG_TRUE@am__append_90 = plugins/android_log
+@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_91 = plugins/android_log/libstrongswan-android-log.la
+@USE_MAEMO_TRUE@am__append_92 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_93 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_94 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_95 = plugins/ha/libstrongswan-ha.la
+@USE_KERNEL_LIBIPSEC_TRUE@am__append_96 = plugins/kernel_libipsec
+@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_97 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+@USE_KERNEL_WFP_TRUE@am__append_98 = plugins/kernel_wfp
+@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_99 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+@USE_KERNEL_IPH_TRUE@am__append_100 = plugins/kernel_iph
+@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_101 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+@USE_WHITELIST_TRUE@am__append_102 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_103 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LOOKIP_TRUE@am__append_104 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_105 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_106 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_107 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_108 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_109 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_SYSTIME_FIX_TRUE@am__append_110 = plugins/systime_fix
+@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_111 = plugins/systime_fix/libstrongswan-systime-fix.la
+@USE_LED_TRUE@am__append_112 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_113 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_114 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_115 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_116 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_117 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_118 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_119 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_120 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_121 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_122 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_123 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_124 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_125 = plugins/unity/libstrongswan-unity.la
+@USE_XAUTH_GENERIC_TRUE@am__append_126 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_127 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_128 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_129 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_130 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_131 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_XAUTH_NOAUTH_TRUE@am__append_132 = plugins/xauth_noauth
+@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_133 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+@USE_RESOLVE_TRUE@am__append_134 = plugins/resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_135 = plugins/resolve/libstrongswan-resolve.la
+@USE_ATTR_TRUE@am__append_136 = plugins/attr
+@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_137 = plugins/attr/libstrongswan-attr.la
+@USE_ATTR_SQL_TRUE@am__append_138 = plugins/attr_sql
+@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_139 = plugins/attr_sql/libstrongswan-attr-sql.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -325,12 +334,12 @@ libcharon_la_DEPENDENCIES =  \
 	$(am__append_29) $(am__append_31) $(am__append_33) \
 	$(am__append_35) $(am__append_37) $(am__append_39) \
 	$(am__append_41) $(am__append_43) $(am__append_45) \
-	$(am__append_47) $(am__append_49) $(am__append_50) \
-	$(am__append_52) $(am__append_54) $(am__append_56) \
+	$(am__append_47) $(am__append_49) $(am__append_51) \
+	$(am__append_53) $(am__append_54) $(am__append_56) \
 	$(am__append_58) $(am__append_60) $(am__append_62) \
 	$(am__append_64) $(am__append_66) $(am__append_68) \
-	$(am__append_69) $(am__append_70) $(am__append_72) \
-	$(am__append_74) $(am__append_75) $(am__append_77) \
+	$(am__append_70) $(am__append_72) $(am__append_73) \
+	$(am__append_74) $(am__append_76) $(am__append_78) \
 	$(am__append_79) $(am__append_81) $(am__append_83) \
 	$(am__append_85) $(am__append_87) $(am__append_89) \
 	$(am__append_91) $(am__append_93) $(am__append_95) \
@@ -339,8 +348,14 @@ libcharon_la_DEPENDENCIES =  \
 	$(am__append_109) $(am__append_111) $(am__append_113) \
 	$(am__append_115) $(am__append_117) $(am__append_119) \
 	$(am__append_121) $(am__append_123) $(am__append_125) \
-	$(am__append_127) $(am__append_129) $(am__append_131)
-am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
+	$(am__append_127) $(am__append_129) $(am__append_131) \
+	$(am__append_133) $(am__append_135) $(am__append_137) \
+	$(am__append_139)
+am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
+	attributes/attributes.h attributes/attribute_provider.h \
+	attributes/attribute_handler.h attributes/attribute_manager.c \
+	attributes/attribute_manager.h attributes/mem_pool.c \
+	attributes/mem_pool.h bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
 	config/backend_manager.c config/backend_manager.h \
@@ -421,7 +436,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/roam_job.h processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h sa/eap/eap_method.c \
+	processing/jobs/inactivity_job.h \
+	processing/jobs/initiate_tasks_job.c \
+	processing/jobs/initiate_tasks_job.h sa/eap/eap_method.c \
 	sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 	sa/eap/eap_manager.c sa/eap/eap_manager.h \
 	sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
@@ -429,7 +446,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/authenticator.c sa/authenticator.h sa/child_sa.c \
 	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
 	sa/ike_sa_id.h sa/keymat.h sa/keymat.c sa/ike_sa_manager.c \
-	sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \
+	sa/ike_sa_manager.h sa/child_sa_manager.c \
+	sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
 	sa/trap_manager.h sa/task.c sa/task.h sa/ikev2/keymat_v2.c \
 	sa/ikev2/keymat_v2.h sa/ikev2/task_manager_v2.c \
@@ -454,6 +472,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 	sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 	sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+	sa/ikev2/tasks/ike_reauth_complete.c \
+	sa/ikev2/tasks/ike_reauth_complete.h \
 	sa/ikev2/tasks/ike_auth_lifetime.c \
 	sa/ikev2/tasks/ike_auth_lifetime.h sa/ikev2/tasks/ike_vendor.c \
 	sa/ikev2/tasks/ike_vendor.h sa/ikev1/keymat_v1.c \
@@ -514,6 +534,7 @@ am__dirstamp = $(am__leading_dot)dirstamp
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_mobike.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_rekey.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_reauth.lo \
+@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_reauth_complete.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_auth_lifetime.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_vendor.lo
 @USE_IKEV1_TRUE@am__objects_2 = sa/ikev1/keymat_v1.lo \
@@ -543,7 +564,9 @@ am__dirstamp = $(am__leading_dot)dirstamp
 @USE_ME_TRUE@	sa/ikev2/connect_manager.lo \
 @USE_ME_TRUE@	sa/ikev2/mediation_manager.lo \
 @USE_ME_TRUE@	sa/ikev2/tasks/ike_me.lo
-am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \
+am_libcharon_la_OBJECTS = attributes/attributes.lo \
+	attributes/attribute_manager.lo attributes/mem_pool.lo \
+	bus/bus.lo bus/listeners/file_logger.lo \
 	config/backend_manager.lo config/child_cfg.lo \
 	config/ike_cfg.lo config/peer_cfg.lo config/proposal.lo \
 	control/controller.lo daemon.lo encoding/generator.lo \
@@ -587,13 +610,14 @@ am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \
 	processing/jobs/send_keepalive_job.lo \
 	processing/jobs/start_action_job.lo \
 	processing/jobs/roam_job.lo processing/jobs/update_sa_job.lo \
-	processing/jobs/inactivity_job.lo sa/eap/eap_method.lo \
+	processing/jobs/inactivity_job.lo \
+	processing/jobs/initiate_tasks_job.lo sa/eap/eap_method.lo \
 	sa/eap/eap_manager.lo sa/xauth/xauth_method.lo \
 	sa/xauth/xauth_manager.lo sa/authenticator.lo sa/child_sa.lo \
 	sa/ike_sa.lo sa/ike_sa_id.lo sa/keymat.lo sa/ike_sa_manager.lo \
-	sa/task_manager.lo sa/shunt_manager.lo sa/trap_manager.lo \
-	sa/task.lo $(am__objects_1) $(am__objects_2) $(am__objects_3) \
-	$(am__objects_4)
+	sa/child_sa_manager.lo sa/task_manager.lo sa/shunt_manager.lo \
+	sa/trap_manager.lo sa/task.lo $(am__objects_1) \
+	$(am__objects_2) $(am__objects_3) $(am__objects_4)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -676,11 +700,11 @@ am__define_uniq_tagged_files = \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
-	plugins/socket_dynamic plugins/socket_win plugins/farp \
-	plugins/stroke plugins/vici plugins/smp plugins/sql \
-	plugins/dnscert plugins/ipseckey plugins/updown \
-	plugins/ext_auth plugins/eap_identity plugins/eap_sim \
-	plugins/eap_sim_file plugins/eap_sim_pcsc \
+	plugins/socket_dynamic plugins/socket_win plugins/connmark \
+	plugins/forecast plugins/farp plugins/stroke plugins/vici \
+	plugins/smp plugins/sql plugins/dnscert plugins/ipseckey \
+	plugins/updown plugins/ext_auth plugins/eap_identity \
+	plugins/eap_sim plugins/eap_sim_file plugins/eap_sim_pcsc \
 	plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
 	plugins/eap_simaka_reauth plugins/eap_aka \
 	plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
@@ -694,8 +718,9 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/error_notify plugins/certexpire plugins/systime_fix \
 	plugins/led plugins/duplicheck plugins/coupling \
 	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
-	plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \
-	plugins/xauth_pam plugins/xauth_noauth
+	plugins/xauth_generic plugins/xauth_eap plugins/xauth_pam \
+	plugins/xauth_noauth plugins/resolve plugins/attr \
+	plugins/attr_sql tests
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -747,6 +772,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -807,10 +833,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -884,6 +912,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -943,16 +973,20 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 ipseclib_LTLIBRARIES = libcharon.la
-libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
-	bus/listeners/logger.h bus/listeners/file_logger.c \
-	bus/listeners/file_logger.h config/backend_manager.c \
-	config/backend_manager.h config/backend.h config/child_cfg.c \
-	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
-	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
-	config/proposal.h control/controller.c control/controller.h \
-	daemon.c daemon.h encoding/generator.c encoding/generator.h \
-	encoding/message.c encoding/message.h encoding/parser.c \
-	encoding/parser.h encoding/payloads/auth_payload.c \
+libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
+	attributes/attribute_provider.h attributes/attribute_handler.h \
+	attributes/attribute_manager.c attributes/attribute_manager.h \
+	attributes/mem_pool.c attributes/mem_pool.h bus/bus.c \
+	bus/bus.h bus/listeners/listener.h bus/listeners/logger.h \
+	bus/listeners/file_logger.c bus/listeners/file_logger.h \
+	config/backend_manager.c config/backend_manager.h \
+	config/backend.h config/child_cfg.c config/child_cfg.h \
+	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
+	config/peer_cfg.h config/proposal.c config/proposal.h \
+	control/controller.c control/controller.h daemon.c daemon.h \
+	encoding/generator.c encoding/generator.h encoding/message.c \
+	encoding/message.h encoding/parser.c encoding/parser.h \
+	encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
 	encoding/payloads/cert_payload.h \
@@ -1023,7 +1057,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/roam_job.h processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h sa/eap/eap_method.c \
+	processing/jobs/inactivity_job.h \
+	processing/jobs/initiate_tasks_job.c \
+	processing/jobs/initiate_tasks_job.h sa/eap/eap_method.c \
 	sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 	sa/eap/eap_manager.c sa/eap/eap_manager.h \
 	sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
@@ -1031,7 +1067,8 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/authenticator.c sa/authenticator.h sa/child_sa.c \
 	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
 	sa/ike_sa_id.h sa/keymat.h sa/keymat.c sa/ike_sa_manager.c \
-	sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \
+	sa/ike_sa_manager.h sa/child_sa_manager.c \
+	sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
 	sa/trap_manager.h sa/task.c sa/task.h $(am__append_1) \
 	$(am__append_2) $(am__append_3) $(am__append_5)
@@ -1057,12 +1094,12 @@ libcharon_la_LIBADD =  \
 	$(am__append_33) $(am__append_35) $(am__append_37) \
 	$(am__append_39) $(am__append_41) $(am__append_43) \
 	$(am__append_45) $(am__append_47) $(am__append_49) \
-	$(am__append_50) $(am__append_52) $(am__append_54) \
+	$(am__append_51) $(am__append_53) $(am__append_54) \
 	$(am__append_56) $(am__append_58) $(am__append_60) \
 	$(am__append_62) $(am__append_64) $(am__append_66) \
-	$(am__append_68) $(am__append_69) $(am__append_70) \
-	$(am__append_72) $(am__append_74) $(am__append_75) \
-	$(am__append_77) $(am__append_79) $(am__append_81) \
+	$(am__append_68) $(am__append_70) $(am__append_72) \
+	$(am__append_73) $(am__append_74) $(am__append_76) \
+	$(am__append_78) $(am__append_79) $(am__append_81) \
 	$(am__append_83) $(am__append_85) $(am__append_87) \
 	$(am__append_89) $(am__append_91) $(am__append_93) \
 	$(am__append_95) $(am__append_97) $(am__append_99) \
@@ -1071,7 +1108,8 @@ libcharon_la_LIBADD =  \
 	$(am__append_113) $(am__append_115) $(am__append_117) \
 	$(am__append_119) $(am__append_121) $(am__append_123) \
 	$(am__append_125) $(am__append_127) $(am__append_129) \
-	$(am__append_131)
+	$(am__append_131) $(am__append_133) $(am__append_135) \
+	$(am__append_137) $(am__append_139)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_6) $(am__append_8) \
 @MONOLITHIC_FALSE@	$(am__append_10) $(am__append_12) \
@@ -1084,13 +1122,13 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_38) $(am__append_40) \
 @MONOLITHIC_FALSE@	$(am__append_42) $(am__append_44) \
 @MONOLITHIC_FALSE@	$(am__append_46) $(am__append_48) \
-@MONOLITHIC_FALSE@	$(am__append_51) $(am__append_53) \
+@MONOLITHIC_FALSE@	$(am__append_50) $(am__append_52) \
 @MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
 @MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
-@MONOLITHIC_FALSE@	$(am__append_67) $(am__append_71) \
-@MONOLITHIC_FALSE@	$(am__append_73) $(am__append_76) \
-@MONOLITHIC_FALSE@	$(am__append_78) $(am__append_80) \
+@MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69) \
+@MONOLITHIC_FALSE@	$(am__append_71) $(am__append_75) \
+@MONOLITHIC_FALSE@	$(am__append_77) $(am__append_80) \
 @MONOLITHIC_FALSE@	$(am__append_82) $(am__append_84) \
 @MONOLITHIC_FALSE@	$(am__append_86) $(am__append_88) \
 @MONOLITHIC_FALSE@	$(am__append_90) $(am__append_92) \
@@ -1103,7 +1141,9 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_118) $(am__append_120) \
 @MONOLITHIC_FALSE@	$(am__append_122) $(am__append_124) \
 @MONOLITHIC_FALSE@	$(am__append_126) $(am__append_128) \
-@MONOLITHIC_FALSE@	$(am__append_130)
+@MONOLITHIC_FALSE@	$(am__append_130) $(am__append_132) \
+@MONOLITHIC_FALSE@	$(am__append_134) $(am__append_136) \
+@MONOLITHIC_FALSE@	$(am__append_138) tests
 
 # build optional plugins
 ########################
@@ -1118,13 +1158,13 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_38) $(am__append_40) \
 @MONOLITHIC_TRUE@	$(am__append_42) $(am__append_44) \
 @MONOLITHIC_TRUE@	$(am__append_46) $(am__append_48) \
-@MONOLITHIC_TRUE@	$(am__append_51) $(am__append_53) \
+@MONOLITHIC_TRUE@	$(am__append_50) $(am__append_52) \
 @MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
 @MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
-@MONOLITHIC_TRUE@	$(am__append_67) $(am__append_71) \
-@MONOLITHIC_TRUE@	$(am__append_73) $(am__append_76) \
-@MONOLITHIC_TRUE@	$(am__append_78) $(am__append_80) \
+@MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69) \
+@MONOLITHIC_TRUE@	$(am__append_71) $(am__append_75) \
+@MONOLITHIC_TRUE@	$(am__append_77) $(am__append_80) \
 @MONOLITHIC_TRUE@	$(am__append_82) $(am__append_84) \
 @MONOLITHIC_TRUE@	$(am__append_86) $(am__append_88) \
 @MONOLITHIC_TRUE@	$(am__append_90) $(am__append_92) \
@@ -1137,7 +1177,9 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_118) $(am__append_120) \
 @MONOLITHIC_TRUE@	$(am__append_122) $(am__append_124) \
 @MONOLITHIC_TRUE@	$(am__append_126) $(am__append_128) \
-@MONOLITHIC_TRUE@	$(am__append_130)
+@MONOLITHIC_TRUE@	$(am__append_130) $(am__append_132) \
+@MONOLITHIC_TRUE@	$(am__append_134) $(am__append_136) \
+@MONOLITHIC_TRUE@	$(am__append_138) . tests
 all: all-recursive
 
 .SUFFIXES:
@@ -1207,6 +1249,18 @@ clean-ipseclibLTLIBRARIES:
 	  echo rm -f $${locs}; \
 	  rm -f $${locs}; \
 	}
+attributes/$(am__dirstamp):
+	@$(MKDIR_P) attributes
+	@: > attributes/$(am__dirstamp)
+attributes/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) attributes/$(DEPDIR)
+	@: > attributes/$(DEPDIR)/$(am__dirstamp)
+attributes/attributes.lo: attributes/$(am__dirstamp) \
+	attributes/$(DEPDIR)/$(am__dirstamp)
+attributes/attribute_manager.lo: attributes/$(am__dirstamp) \
+	attributes/$(DEPDIR)/$(am__dirstamp)
+attributes/mem_pool.lo: attributes/$(am__dirstamp) \
+	attributes/$(DEPDIR)/$(am__dirstamp)
 bus/$(am__dirstamp):
 	@$(MKDIR_P) bus
 	@: > bus/$(am__dirstamp)
@@ -1389,6 +1443,9 @@ processing/jobs/update_sa_job.lo: processing/jobs/$(am__dirstamp) \
 	processing/jobs/$(DEPDIR)/$(am__dirstamp)
 processing/jobs/inactivity_job.lo: processing/jobs/$(am__dirstamp) \
 	processing/jobs/$(DEPDIR)/$(am__dirstamp)
+processing/jobs/initiate_tasks_job.lo:  \
+	processing/jobs/$(am__dirstamp) \
+	processing/jobs/$(DEPDIR)/$(am__dirstamp)
 sa/eap/$(am__dirstamp):
 	@$(MKDIR_P) sa/eap
 	@: > sa/eap/$(am__dirstamp)
@@ -1421,6 +1478,8 @@ sa/ike_sa.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/ike_sa_id.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/keymat.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/ike_sa_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
+sa/child_sa_manager.lo: sa/$(am__dirstamp) \
+	sa/$(DEPDIR)/$(am__dirstamp)
 sa/task_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/shunt_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/trap_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
@@ -1484,6 +1543,8 @@ sa/ikev2/tasks/ike_rekey.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_reauth.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
+sa/ikev2/tasks/ike_reauth_complete.lo: sa/ikev2/tasks/$(am__dirstamp) \
+	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_auth_lifetime.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_vendor.lo: sa/ikev2/tasks/$(am__dirstamp) \
@@ -1574,6 +1635,8 @@ libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) $(EXTRA_libch
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
+	-rm -f attributes/*.$(OBJEXT)
+	-rm -f attributes/*.lo
 	-rm -f bus/*.$(OBJEXT)
 	-rm -f bus/*.lo
 	-rm -f bus/listeners/*.$(OBJEXT)
@@ -1615,6 +1678,9 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attribute_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attributes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/mem_pool.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@bus/$(DEPDIR)/bus.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@bus/listeners/$(DEPDIR)/file_logger.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@bus/listeners/$(DEPDIR)/sys_logger.Plo@am__quote@
@@ -1665,6 +1731,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/dpd_timeout_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/inactivity_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/initiate_mediation_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/initiate_tasks_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/migrate_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/process_message_job.Plo@am__quote@
@@ -1679,6 +1746,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/update_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/authenticator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/child_sa.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/child_sa_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_manager.Plo@am__quote@
@@ -1730,6 +1798,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_mobike.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_natd.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth_complete.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_rekey.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_vendor.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/xauth/$(DEPDIR)/xauth_manager.Plo@am__quote@
@@ -1764,6 +1833,7 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
+	-rm -rf attributes/.libs attributes/_libs
 	-rm -rf bus/.libs bus/_libs
 	-rm -rf bus/listeners/.libs bus/listeners/_libs
 	-rm -rf config/.libs config/_libs
@@ -1971,6 +2041,8 @@ clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f attributes/$(DEPDIR)/$(am__dirstamp)
+	-rm -f attributes/$(am__dirstamp)
 	-rm -f bus/$(DEPDIR)/$(am__dirstamp)
 	-rm -f bus/$(am__dirstamp)
 	-rm -f bus/listeners/$(DEPDIR)/$(am__dirstamp)
@@ -2017,7 +2089,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
 	mostlyclean-am
 
 distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) attributes/$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -2063,7 +2135,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) attributes/$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libhydra/attributes/attribute_handler.h b/src/libcharon/attributes/attribute_handler.h
index bc488f6cb..3c14323a3 100644
--- a/src/libhydra/attributes/attribute_handler.h
+++ b/src/libcharon/attributes/attribute_handler.h
@@ -21,14 +21,14 @@
 #ifndef ATTRIBUTE_HANDLER_H_
 #define ATTRIBUTE_HANDLER_H_
 
+typedef struct attribute_handler_t attribute_handler_t;
+
+#include <sa/ike_sa.h>
 #include <utils/chunk.h>
-#include <utils/identification.h>
 #include <collections/linked_list.h>
 
 #include "attributes.h"
 
-typedef struct attribute_handler_t attribute_handler_t;
-
 /**
  * Interface to handle configuration payload attributes.
  */
@@ -40,12 +40,12 @@ struct attribute_handler_t {
 	 * After receiving a configuration attriubte, it is passed to each
 	 * attribute handler until it is handled.
 	 *
-	 * @param server	server from which the attribute was received
+	 * @param ike_sa	IKE_SA under which attribute is received
 	 * @param type		type of configuration attribute to handle
 	 * @param data		associated attribute data
 	 * @return			TRUE if attribute handled
 	 */
-	bool (*handle)(attribute_handler_t *this, identification_t *server,
+	bool (*handle)(attribute_handler_t *this, ike_sa_t *ike_sa,
 				   configuration_attribute_type_t type, chunk_t data);
 
 	/**
@@ -54,19 +54,23 @@ struct attribute_handler_t {
 	 * A handler that handle()d an attribute gets a call to release() when the
 	 * connection gets closed. Depending on the implementation, this is required
 	 * to remove the attribute.
+	 *
+	 * @param ike_sa	IKE_SA which releases attribute
+	 * @param type		type of configuration attribute to release
+	 * @param data		associated attribute data
 	 */
-	void (*release)(attribute_handler_t *this, identification_t *server,
+	void (*release)(attribute_handler_t *this, ike_sa_t *ike_sa,
 					configuration_attribute_type_t type, chunk_t data);
 
 	/**
 	 * Enumerate attributes to request from a server.
 	 *
-	 * @param server		server identity to request attributes from
+	 * @param ike_sa		IKE_SA to request attributes for
 	 * @param vips			list of virtual IPs (host_t*) we are requesting
 	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_attribute_enumerator)(attribute_handler_t *this,
-								identification_t *server, linked_list_t *vips);
+										ike_sa_t *ike_sa, linked_list_t *vips);
 };
 
 #endif /** ATTRIBUTE_HANDLER_H_ @}*/
diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libcharon/attributes/attribute_manager.c
index 5fda8b426..2ab7ed118 100644
--- a/src/libhydra/attributes/attribute_manager.c
+++ b/src/libcharon/attributes/attribute_manager.c
@@ -53,15 +53,15 @@ struct private_attribute_manager_t {
 typedef struct {
 	/** attribute group pools */
 	linked_list_t *pools;
-	/** server/peer identity */
-	identification_t *id;
+	/** associated IKE_SA */
+	ike_sa_t *ike_sa;
 	/** requesting/assigned virtual IPs */
 	linked_list_t *vips;
 } enum_data_t;
 
 METHOD(attribute_manager_t, acquire_address, host_t*,
 	private_attribute_manager_t *this, linked_list_t *pools,
-	identification_t *id, host_t *requested)
+	ike_sa_t *ike_sa, host_t *requested)
 {
 	enumerator_t *enumerator;
 	attribute_provider_t *current;
@@ -71,7 +71,7 @@ METHOD(attribute_manager_t, acquire_address, host_t*,
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		host = current->acquire_address(current, pools, id, requested);
+		host = current->acquire_address(current, pools, ike_sa, requested);
 		if (host)
 		{
 			break;
@@ -85,7 +85,7 @@ METHOD(attribute_manager_t, acquire_address, host_t*,
 
 METHOD(attribute_manager_t, release_address, bool,
 	private_attribute_manager_t *this, linked_list_t *pools, host_t *address,
-	identification_t *id)
+	ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
 	attribute_provider_t *current;
@@ -95,7 +95,7 @@ METHOD(attribute_manager_t, release_address, bool,
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (current->release_address(current, pools, address, id))
+		if (current->release_address(current, pools, address, ike_sa))
 		{
 			found = TRUE;
 			break;
@@ -114,18 +114,18 @@ static enumerator_t *responder_enum_create(attribute_provider_t *provider,
 										   enum_data_t *data)
 {
 	return provider->create_attribute_enumerator(provider, data->pools,
-												 data->id, data->vips);
+												 data->ike_sa, data->vips);
 }
 
 METHOD(attribute_manager_t, create_responder_enumerator, enumerator_t*,
 	private_attribute_manager_t *this, linked_list_t *pools,
-	identification_t *id, linked_list_t *vips)
+	ike_sa_t *ike_sa, linked_list_t *vips)
 {
 	enum_data_t *data;
 
 	INIT(data,
 		.pools = pools,
-		.id = id,
+		.ike_sa = ike_sa,
 		.vips = vips,
 	);
 	this->lock->read_lock(this->lock);
@@ -153,7 +153,7 @@ METHOD(attribute_manager_t, remove_provider, void,
 }
 
 METHOD(attribute_manager_t, handle, attribute_handler_t*,
-	private_attribute_manager_t *this, identification_t *server,
+	private_attribute_manager_t *this, ike_sa_t *ike_sa,
 	attribute_handler_t *handler, configuration_attribute_type_t type,
 	chunk_t data)
 {
@@ -166,7 +166,7 @@ METHOD(attribute_manager_t, handle, attribute_handler_t*,
 	enumerator = this->handlers->create_enumerator(this->handlers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (current == handler && current->handle(current, server, type, data))
+		if (current == handler && current->handle(current, ike_sa, type, data))
 		{
 			handled = current;
 			break;
@@ -178,7 +178,7 @@ METHOD(attribute_manager_t, handle, attribute_handler_t*,
 		enumerator = this->handlers->create_enumerator(this->handlers);
 		while (enumerator->enumerate(enumerator, &current))
 		{
-			if (current->handle(current, server, type, data))
+			if (current->handle(current, ike_sa, type, data))
 			{
 				handled = current;
 				break;
@@ -198,7 +198,7 @@ METHOD(attribute_manager_t, handle, attribute_handler_t*,
 
 METHOD(attribute_manager_t, release, void,
 	private_attribute_manager_t *this, attribute_handler_t *handler,
-	identification_t *server, configuration_attribute_type_t type, chunk_t data)
+	ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data)
 {
 	enumerator_t *enumerator;
 	attribute_handler_t *current;
@@ -209,7 +209,7 @@ METHOD(attribute_manager_t, release, void,
 	{
 		if (current == handler)
 		{
-			current->release(current, server, type, data);
+			current->release(current, ike_sa, type, data);
 			break;
 		}
 	}
@@ -231,8 +231,8 @@ typedef struct {
 	enumerator_t *outer;
 	/** inner enumerator over current handlers attributes */
 	enumerator_t *inner;
-	/** server ID we want attributes for */
-	identification_t *id;
+	/** IKE_SA to request attributes for */
+	ike_sa_t *ike_sa;
 	/** virtual IPs we are requesting along with attriubutes */
 	linked_list_t *vips;
 } initiator_enumerator_t;
@@ -254,7 +254,7 @@ static bool initiator_enumerate(initiator_enumerator_t *this,
 		}
 		DESTROY_IF(this->inner);
 		this->inner = this->handler->create_attribute_enumerator(this->handler,
-														this->id, this->vips);
+													this->ike_sa, this->vips);
 	}
 	/* inject the handler as additional attribute */
 	*handler = this->handler;
@@ -273,7 +273,7 @@ static void initiator_destroy(initiator_enumerator_t *this)
 }
 
 METHOD(attribute_manager_t, create_initiator_enumerator, enumerator_t*,
-	private_attribute_manager_t *this, identification_t *id, linked_list_t *vips)
+	private_attribute_manager_t *this, ike_sa_t *ike_sa, linked_list_t *vips)
 {
 	initiator_enumerator_t *enumerator;
 
@@ -285,7 +285,7 @@ METHOD(attribute_manager_t, create_initiator_enumerator, enumerator_t*,
 			.destroy = (void*)initiator_destroy,
 		},
 		.this = this,
-		.id = id,
+		.ike_sa = ike_sa,
 		.vips = vips,
 		.outer = this->handlers->create_enumerator(this->handlers),
 	);
@@ -345,4 +345,3 @@ attribute_manager_t *attribute_manager_create()
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/attributes/attribute_manager.h b/src/libcharon/attributes/attribute_manager.h
index 99f41772c..6db664968 100644
--- a/src/libhydra/attributes/attribute_manager.h
+++ b/src/libcharon/attributes/attribute_manager.h
@@ -24,6 +24,8 @@
 #include "attribute_provider.h"
 #include "attribute_handler.h"
 
+#include <sa/ike_sa.h>
+
 typedef struct attribute_manager_t attribute_manager_t;
 
 /**
@@ -40,12 +42,12 @@ struct attribute_manager_t {
 	 * Acquire a virtual IP address to assign to a peer.
 	 *
 	 * @param pools			list of pool names (char*) to acquire from
-	 * @param id			peer identity to get address forua
+	 * @param ike_sa		associated IKE_SA for which an address is requested
 	 * @param requested		IP in configuration request
 	 * @return				allocated address, NULL to serve none
 	 */
 	host_t* (*acquire_address)(attribute_manager_t *this,
-							   linked_list_t *pool, identification_t *id,
+							   linked_list_t *pool, ike_sa_t *ike_sa,
 							   host_t *requested);
 
 	/**
@@ -53,23 +55,23 @@ struct attribute_manager_t {
 	 *
 	 * @param pools			list of pool names (char*) to release to
 	 * @param address		address to release
-	 * @param id			peer identity to get address for
+	 * @param ike_sa		associated IKE_SA for which an address is released
 	 * @return				TRUE if address released to pool
 	 */
 	bool (*release_address)(attribute_manager_t *this,
 							linked_list_t *pools, host_t *address,
-							identification_t *id);
+							ike_sa_t *ike_sa);
 
 	/**
 	 * Create an enumerator over attributes to hand out to a peer.
 	 *
 	 * @param pool			list of pools names (char*) to query attributes from
-	 * @param id			peer identity to hand out attributes to
+	 * @param ike_sa		associated IKE_SA for which attributes are requested
 	 * @param vip			list of virtual IPs (host_t*) to assign to peer
 	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this,
-									linked_list_t *pool, identification_t *id,
+									linked_list_t *pool, ike_sa_t *ike_sa,
 									linked_list_t *vips);
 
 	/**
@@ -90,38 +92,37 @@ struct attribute_manager_t {
 	/**
 	 * Handle a configuration attribute by passing them to the handlers.
 	 *
-	 * @param server		server from which the attribute was received
+	 * @param ike_sa		associated IKE_SA to handle an attribute for
 	 * @param handler		handler we requested the attribute for, if any
 	 * @param type			type of configuration attribute
 	 * @param data			associated attribute data
 	 * @return				handler which handled this attribute, NULL if none
 	 */
 	attribute_handler_t* (*handle)(attribute_manager_t *this,
-						identification_t *server, attribute_handler_t *handler,
+						ike_sa_t *ike_sa, attribute_handler_t *handler,
 						configuration_attribute_type_t type, chunk_t data);
 
 	/**
 	 * Release an attribute previously handle()d by a handler.
 	 *
-	 * @param handler		handler returned by handle() for this attribute
+	 * @param ike_sa		associated IKE_SA to release an attribute for
 	 * @param server		server from which the attribute was received
 	 * @param type			type of attribute to release
 	 * @param data			associated attribute data
 	 */
 	void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
-						identification_t *server,
-						configuration_attribute_type_t type,
+						ike_sa_t *ike_sa, configuration_attribute_type_t type,
 						chunk_t data);
 
 	/**
 	 * Create an enumerator over attributes to request from server.
 	 *
-	 * @param id			server identity to hand out attributes to
+	 * @param ike_sa		associated IKE_SA to request attributes for
 	 * @param vip			list of virtual IPs (host_t*) going to request
 	 * @return				enumerator (attribute_handler_t, ca_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_initiator_enumerator)(attribute_manager_t *this,
-									identification_t *id, linked_list_t *vips);
+									ike_sa_t *ike_sa, linked_list_t *vips);
 
 	/**
 	 * Register an attribute handler to the manager.
diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libcharon/attributes/attribute_provider.h
index adfd4a516..57453c2a0 100644
--- a/src/libhydra/attributes/attribute_provider.h
+++ b/src/libcharon/attributes/attribute_provider.h
@@ -21,8 +21,8 @@
 #ifndef ATTRIBUTE_PROVIDER_H_
 #define ATTRIBUTE_PROVIDER_H_
 
+#include <sa/ike_sa.h>
 #include <networking/host.h>
-#include <utils/identification.h>
 #include <collections/linked_list.h>
 
 typedef struct attribute_provider_t attribute_provider_t;
@@ -36,35 +36,35 @@ struct attribute_provider_t {
 	 * Acquire a virtual IP address to assign to a peer.
 	 *
 	 * @param pools			list of pool names (char*) to acquire from
-	 * @param id			peer ID
+	 * @param ike_sa		associated IKE_SA to assign address over
 	 * @param requested		IP in configuration request
 	 * @return				allocated address, NULL to serve none
 	 */
 	host_t* (*acquire_address)(attribute_provider_t *this,
-							   linked_list_t *pools, identification_t *id,
+							   linked_list_t *pools, ike_sa_t *ike_sa,
 							   host_t *requested);
 	/**
 	 * Release a previously acquired address.
 	 *
 	 * @param pools			list of pool names (char*) to release to
 	 * @param address		address to release
-	 * @param id			peer ID
+	 * @param ike_sa		IKE_SA to release address for
 	 * @return				TRUE if the address has been released by the provider
 	 */
 	bool (*release_address)(attribute_provider_t *this,
 							linked_list_t *pools, host_t *address,
-							identification_t *id);
+							ike_sa_t *ike_sa);
 
 	/**
 	 * Create an enumerator over attributes to hand out to a peer.
 	 *
 	 * @param pool			list of pools names (char*) to query attributes from
-	 * @param id			peer ID
+	 * @param ike_sa		IKE_SA to request attributes for
 	 * @param vip			list of virtual IPs (host_t*) to assign to peer
 	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
-									linked_list_t *pools, identification_t *id,
+									linked_list_t *pools, ike_sa_t *ike_sa,
 									linked_list_t *vips);
 };
 
diff --git a/src/libhydra/attributes/attributes.c b/src/libcharon/attributes/attributes.c
index 9fabcf4e4..9fabcf4e4 100644
--- a/src/libhydra/attributes/attributes.c
+++ b/src/libcharon/attributes/attributes.c
diff --git a/src/libhydra/attributes/attributes.h b/src/libcharon/attributes/attributes.h
index 5d1e9f9ba..5d1e9f9ba 100644
--- a/src/libhydra/attributes/attributes.h
+++ b/src/libcharon/attributes/attributes.h
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libcharon/attributes/mem_pool.c
index cc45e5629..279668249 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libcharon/attributes/mem_pool.c
@@ -47,6 +47,11 @@ struct private_mem_pool_t {
 	host_t *base;
 
 	/**
+	 * whether base is the network id of the subnet on which the pool is based
+	 */
+	bool base_is_network_id;
+
+	/**
 	 * size of the pool
 	 */
 	u_int size;
@@ -65,20 +70,25 @@ struct private_mem_pool_t {
 	 * lock to safely access the pool
 	 */
 	mutex_t *mutex;
-
-	/**
-	 * Do we reassign online leases to the same identity, if requested?
-	 */
-	bool reassign_online;
 };
 
 /**
+ * A unique lease address offset, with a hash of the peer host address
+ */
+typedef struct {
+	/** lease, as offset */
+	u_int offset;
+	/** hash of remote address, to allow duplicates */
+	u_int hash;
+} unique_lease_t;
+
+/**
  * Lease entry.
  */
 typedef struct {
 	/* identitiy reference */
 	identification_t *id;
-	/* array of online leases, as u_int offset */
+	/* array of online leases, as unique_lease_t */
 	array_t *online;
 	/* array of offline leases, as u_int offset */
 	array_t *offline;
@@ -93,13 +103,24 @@ static entry_t* entry_create(identification_t *id)
 
 	INIT(entry,
 		.id = id->clone(id),
-		.online = array_create(sizeof(u_int), 0),
+		.online = array_create(sizeof(unique_lease_t), 0),
 		.offline = array_create(sizeof(u_int), 0),
 	);
 	return entry;
 }
 
 /**
+ * Destroy an entry
+ */
+static void entry_destroy(entry_t *this)
+{
+	this->id->destroy(this->id);
+	array_destroy(this->online);
+	array_destroy(this->offline);
+	free(this);
+}
+
+/**
  * hashtable hash function for identities
  */
 static u_int id_hash(identification_t *id)
@@ -235,12 +256,25 @@ METHOD(mem_pool_t, get_offline, u_int,
 }
 
 /**
+ * Create a unique hash for a remote address
+ */
+static u_int hash_addr(host_t *addr)
+{
+	if (addr)
+	{
+		return chunk_hash_inc(addr->get_address(addr), addr->get_port(addr));
+	}
+	return 0;
+}
+
+/**
  * Get an existing lease for id
  */
 static int get_existing(private_mem_pool_t *this, identification_t *id,
-						host_t *requested)
+						host_t *requested, host_t *peer)
 {
 	enumerator_t *enumerator;
+	unique_lease_t *lease, reassign;
 	u_int *current;
 	entry_t *entry;
 	int offset = 0;
@@ -255,8 +289,9 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
 	enumerator = array_create_enumerator(entry->offline);
 	if (enumerator->enumerate(enumerator, &current))
 	{
-		offset = *current;
-		array_insert(entry->online, ARRAY_TAIL, current);
+		reassign.offset = offset = *current;
+		reassign.hash = hash_addr(peer);
+		array_insert(entry->online, ARRAY_TAIL, &reassign);
 		array_remove_at(entry->offline, enumerator);
 	}
 	enumerator->destroy(enumerator);
@@ -265,19 +300,20 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
 		DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
 		return offset;
 	}
-	if (!this->reassign_online)
+	if (!peer)
 	{
 		return 0;
 	}
 	/* check for a valid online lease to reassign */
 	enumerator = array_create_enumerator(entry->online);
-	while (enumerator->enumerate(enumerator, &current))
+	while (enumerator->enumerate(enumerator, &lease))
 	{
-		if (*current == host2offset(this, requested))
+		if (lease->offset == host2offset(this, requested) &&
+			lease->hash == hash_addr(peer))
 		{
-			offset = *current;
+			offset = lease->offset;
 			/* add an additional "online" entry */
-			array_insert(entry->online, ARRAY_TAIL, current);
+			array_insert(entry->online, ARRAY_TAIL, lease);
 			break;
 		}
 	}
@@ -292,10 +328,10 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
 /**
  * Get a new lease for id
  */
-static int get_new(private_mem_pool_t *this, identification_t *id)
+static int get_new(private_mem_pool_t *this, identification_t *id, host_t *peer)
 {
 	entry_t *entry;
-	u_int offset = 0;
+	unique_lease_t lease = {};
 
 	if (this->unused < this->size)
 	{
@@ -306,47 +342,63 @@ static int get_new(private_mem_pool_t *this, identification_t *id)
 			this->leases->put(this->leases, entry->id, entry);
 		}
 		/* assigning offset, starting by 1 */
-		offset = ++this->unused;
-		array_insert(entry->online, ARRAY_TAIL, &offset);
+		lease.offset = ++this->unused + (this->base_is_network_id ? 1 : 0);
+		lease.hash = hash_addr(peer);
+		array_insert(entry->online, ARRAY_TAIL, &lease);
 		DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
 	}
-	return offset;
+	return lease.offset;
 }
 
 /**
  * Get a reassigned lease for id in case the pool is full
  */
-static int get_reassigned(private_mem_pool_t *this, identification_t *id)
+static int get_reassigned(private_mem_pool_t *this, identification_t *id,
+						  host_t *peer)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
-	u_int current, offset = 0;
+	u_int current;
+	unique_lease_t lease = {};
 
 	enumerator = this->leases->create_enumerator(this->leases);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
 		if (array_remove(entry->offline, ARRAY_HEAD, &current))
 		{
-			offset = current;
-			DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'"
-				 " to '%Y'", entry->id, id);
+			lease.offset = current;
+			DBG1(DBG_CFG, "reassigning existing offline lease by '%Y' "
+				 "to '%Y'", entry->id, id);
+		}
+		if (!array_count(entry->online) && !array_count(entry->offline))
+		{
+			this->leases->remove_at(this->leases, enumerator);
+			entry_destroy(entry);
+		}
+		if (lease.offset)
+		{
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 
-	if (offset)
+	if (lease.offset)
 	{
-		entry = entry_create(id);
-		array_insert(entry->online, ARRAY_TAIL, &offset);
-		this->leases->put(this->leases, entry->id, entry);
+		entry = this->leases->get(this->leases, id);
+		if (!entry)
+		{
+			entry = entry_create(id);
+			this->leases->put(this->leases, entry->id, entry);
+		}
+		lease.hash = hash_addr(peer);
+		array_insert(entry->online, ARRAY_TAIL, &lease);
 	}
-	return offset;
+	return lease.offset;
 }
 
 METHOD(mem_pool_t, acquire_address, host_t*,
 	private_mem_pool_t *this, identification_t *id, host_t *requested,
-	mem_pool_op_t operation)
+	mem_pool_op_t operation, host_t *peer)
 {
 	int offset = 0;
 
@@ -367,13 +419,13 @@ METHOD(mem_pool_t, acquire_address, host_t*,
 	switch (operation)
 	{
 		case MEM_POOL_EXISTING:
-			offset = get_existing(this, id, requested);
+			offset = get_existing(this, id, requested, peer);
 			break;
 		case MEM_POOL_NEW:
-			offset = get_new(this, id);
+			offset = get_new(this, id, peer);
 			break;
 		case MEM_POOL_REASSIGN:
-			offset = get_reassigned(this, id);
+			offset = get_reassigned(this, id, peer);
 			if (!offset)
 			{
 				DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
@@ -398,7 +450,8 @@ METHOD(mem_pool_t, release_address, bool,
 	enumerator_t *enumerator;
 	bool found = FALSE, more = FALSE;
 	entry_t *entry;
-	u_int offset, *current;
+	u_int offset;
+	unique_lease_t *current;
 
 	if (this->size != 0)
 	{
@@ -411,7 +464,7 @@ METHOD(mem_pool_t, release_address, bool,
 			enumerator = array_create_enumerator(entry->online);
 			while (enumerator->enumerate(enumerator, &current))
 			{
-				if (*current == offset)
+				if (current->offset == offset)
 				{
 					if (!found)
 					{	/* remove the first entry only */
@@ -463,6 +516,7 @@ METHOD(enumerator_t, lease_enumerate, bool,
 	lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online)
 {
 	u_int *offset;
+	unique_lease_t *lease;
 
 	DESTROY_IF(this->addr);
 	this->addr = NULL;
@@ -471,10 +525,10 @@ METHOD(enumerator_t, lease_enumerate, bool,
 	{
 		if (this->entry)
 		{
-			if (this->online->enumerate(this->online, &offset))
+			if (this->online->enumerate(this->online, &lease))
 			{
 				*id = this->entry->id;
-				*addr = this->addr = offset2host(this->pool, *offset);
+				*addr = this->addr = offset2host(this->pool, lease->offset);
 				*online = TRUE;
 				return TRUE;
 			}
@@ -535,10 +589,7 @@ METHOD(mem_pool_t, destroy, void,
 	enumerator = this->leases->create_enumerator(this->leases);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		entry->id->destroy(entry->id);
-		array_destroy(entry->online);
-		array_destroy(entry->offline);
-		free(entry);
+		entry_destroy(entry);
 	}
 	enumerator->destroy(enumerator);
 
@@ -572,26 +623,45 @@ static private_mem_pool_t *create_generic(char *name)
 		.leases = hashtable_create((hashtable_hash_t)id_hash,
 								   (hashtable_equals_t)id_equals, 16),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.reassign_online = lib->settings->get_bool(lib->settings,
-								"%s.mem-pool.reassign_online", FALSE, lib->ns),
 	);
 
 	return this;
 }
 
 /**
+ * Check if the given host is the network ID of a subnet, that is, if hostbits
+ * are zero.  Since we limit pools to 2^31 addresses we only have to check the
+ * last 4 bytes.
+ */
+static u_int network_id_diff(host_t *host, int hostbits)
+{
+	u_int32_t last;
+	chunk_t addr;
+
+	if (!hostbits)
+	{
+		return 0;
+	}
+	addr = host->get_address(host);
+	last = untoh32(addr.ptr + addr.len - sizeof(last));
+	hostbits = sizeof(last) * 8 - hostbits;
+	return (last << hostbits) >> hostbits;
+}
+
+/**
  * Described in header
  */
 mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 {
 	private_mem_pool_t *this;
+	u_int diff;
 	int addr_bits;
 
 	this = create_generic(name);
 	if (base)
 	{
 		addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
-		bits = max(0, min(bits, base->get_family(base) == AF_INET ? 32 : 128));
+		bits = max(0, min(bits, addr_bits));
 		/* net bits -> host bits */
 		bits = addr_bits - bits;
 		if (bits > POOL_LIMIT)
@@ -601,15 +671,31 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 				 base, addr_bits - bits);
 		}
 		this->size = 1 << bits;
+		this->base = base->clone(base);
 
 		if (this->size > 2)
-		{	/* do not use first and last addresses of a block */
-			this->unused++;
-			this->size -= 2;
+		{
+			/* if base is the network id we later skip the first address,
+			 * otherwise adjust the size to represent the actual number
+			 * of assignable addresses */
+			diff = network_id_diff(base, bits);
+			if (!diff)
+			{
+				this->base_is_network_id = TRUE;
+				this->size--;
+			}
+			else
+			{
+				this->size -= diff;
+			}
+			/* skip the last address (broadcast) of the subnet */
+			this->size--;
+		}
+		else if (network_id_diff(base, bits))
+		{	/* only serve the second address of the subnet */
+			this->size--;
 		}
-		this->base = base->clone(base);
 	}
-
 	return &this->public;
 }
 
diff --git a/src/libhydra/attributes/mem_pool.h b/src/libcharon/attributes/mem_pool.h
index 7347bb547..3ee1dd37d 100644
--- a/src/libhydra/attributes/mem_pool.h
+++ b/src/libcharon/attributes/mem_pool.h
@@ -87,13 +87,21 @@ struct mem_pool_t {
 	 * acquire a new lease (MEM_POOL_NEW), and if the pool is full once again
 	 * to assign an existing offline lease (MEM_POOL_REASSIGN).
 	 *
+	 * If the same identity requests a virtual IP that is already assigned to
+	 * it, the peer address and port is used to check if it is the same client
+	 * instance that is connecting. If this is true, the request is considered
+	 * a request for a reauthentication attempt, and the same virtual IP gets
+	 * assigned to the peer.
+	 *
 	 * @param id		the id to acquire an address for
 	 * @param requested	acquire this address, if possible
 	 * @param operation	acquire operation to perform, see above
+	 * @param peer		optional remote IKE address and port
 	 * @return			the acquired address
 	 */
 	host_t* (*acquire_address)(mem_pool_t *this, identification_t *id,
-							   host_t *requested, mem_pool_op_t operation);
+							   host_t *requested, mem_pool_op_t operation,
+							   host_t *peer);
 
 	/**
 	 * Release a previously acquired address.
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index cb59f976b..7938f46cc 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -755,6 +755,33 @@ METHOD(bus_t, ike_rekey, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(bus_t, ike_update, void,
+	private_bus_t *this, ike_sa_t *ike_sa, bool local, host_t *new)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_update)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_update(entry->listener, ike_sa, local, new);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(bus_t, ike_reestablish_pre, void,
 	private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
 {
@@ -1006,6 +1033,7 @@ bus_t *bus_create()
 			.child_keys = _child_keys,
 			.ike_updown = _ike_updown,
 			.ike_rekey = _ike_rekey,
+			.ike_update = _ike_update,
 			.ike_reestablish_pre = _ike_reestablish_pre,
 			.ike_reestablish_post = _ike_reestablish_post,
 			.child_updown = _child_updown,
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index e1d221ca5..051c429f9 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -382,6 +382,15 @@ struct bus_t {
 	void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
 
 	/**
+	 * IKE_SA peer endpoint update hook.
+	 *
+	 * @param ike_sa	updated IKE_SA, having old endpoints set
+	 * @param local		TRUE if local endpoint gets updated, FALSE for remote
+	 * @param new		new endpoint address and port
+	 */
+	void (*ike_update)(bus_t *this, ike_sa_t *ike_sa, bool local, host_t *new);
+
+	/**
 	 * IKE_SA reestablishing hook (before resolving hosts).
 	 *
 	 * @param old		reestablished and obsolete IKE_SA
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 0910cb361..3447d8f99 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -128,6 +128,17 @@ struct listener_t {
 	bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
 
 	/**
+	 * Hook called for IKE_SA peer endpoint updates.
+	 *
+	 * @param ike_sa	updated IKE_SA, having old endpoints set
+	 * @param local		TRUE if local endpoint gets updated, FALSE for remote
+	 * @param new		new endpoint address and port
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_update)(listener_t *this, ike_sa_t *ike_sa,
+					   bool local, host_t *new);
+
+	/**
 	 * Hook called when an initiator reestablishes an IKE_SA.
 	 *
 	 * This is invoked right after creating the new IKE_SA and setting the
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 42a3e9057..9464ceb5d 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -459,25 +459,10 @@ static traffic_selector_t* make_range(char *str)
 {
 	traffic_selector_t *ts;
 	ts_type_t type;
-	char *pos;
 	host_t *from, *to;
 
-	pos = strchr(str, '-');
-	if (!pos)
-	{
-		return NULL;
-	}
-	to = host_create_from_string(pos + 1, 0);
-	if (!to)
-	{
-		return NULL;
-	}
-	str = strndup(str, pos - str);
-	from = host_create_from_string_and_family(str, to->get_family(to), 0);
-	free(str);
-	if (!from)
+	if (!host_create_from_range(str, &from, &to))
 	{
-		to->destroy(to);
 		return NULL;
 	}
 	if (to->get_family(to) == AF_INET)
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 50d3c6f66..e59dcd9ec 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -399,10 +399,12 @@ static const struct {
 	pseudo_random_function_t prf;
 } integ_prf_map[] = {
 	{AUTH_HMAC_SHA1_96,					PRF_HMAC_SHA1					},
+	{AUTH_HMAC_SHA1_160,				PRF_HMAC_SHA1					},
 	{AUTH_HMAC_SHA2_256_128,			PRF_HMAC_SHA2_256				},
 	{AUTH_HMAC_SHA2_384_192,			PRF_HMAC_SHA2_384				},
 	{AUTH_HMAC_SHA2_512_256,			PRF_HMAC_SHA2_512				},
 	{AUTH_HMAC_MD5_96,					PRF_HMAC_MD5					},
+	{AUTH_HMAC_MD5_128,					PRF_HMAC_MD5					},
 	{AUTH_AES_XCBC_96,					PRF_AES128_XCBC					},
 	{AUTH_CAMELLIA_XCBC_96,				PRF_CAMELLIA128_XCBC			},
 	{AUTH_AES_CMAC_96,					PRF_AES128_CMAC					},
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 25667e532..fd8349e2f 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -303,6 +303,18 @@ METHOD(listener_t, child_state_change, bool,
 						/* proper delete */
 						this->status = SUCCESS;
 						break;
+					case CHILD_RETRYING:
+						/* retrying with a different DH group; survive another
+						 * initiation round */
+						this->status = NEED_MORE;
+						return TRUE;
+					case CHILD_CREATED:
+						if (this->status == NEED_MORE)
+						{
+							this->status = FAILED;
+							return TRUE;
+						}
+						break;
 					default:
 						break;
 				}
@@ -437,7 +449,7 @@ METHOD(job_t, terminate_ike_execute, job_requeue_t,
 	ike_sa_t *ike_sa;
 
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													unique_id, FALSE);
+													unique_id);
 	if (!ike_sa)
 	{
 		DBG1(DBG_IKE, "unable to terminate IKE_SA: ID %d not found", unique_id);
@@ -522,17 +534,15 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
 	interface_job_t *job)
 {
 	interface_listener_t *listener = &job->listener;
-	u_int32_t reqid = listener->id;
-	enumerator_t *enumerator;
+	u_int32_t id = listener->id;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
 
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													reqid, TRUE);
+	ike_sa = charon->child_sa_manager->checkout_by_id(charon->child_sa_manager,
+													  id, &child_sa);
 	if (!ike_sa)
 	{
-		DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
-			 reqid);
+		DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found", id);
 		listener->status = NOT_FOUND;
 		/* release listener */
 		listener_done(listener);
@@ -542,22 +552,10 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
 	listener->ike_sa = ike_sa;
 	listener->lock->unlock(listener->lock);
 
-	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
-	while (enumerator->enumerate(enumerator, (void**)&child_sa))
-	{
-		if (child_sa->get_state(child_sa) != CHILD_ROUTED &&
-			child_sa->get_reqid(child_sa) == reqid)
-		{
-			break;
-		}
-		child_sa = NULL;
-	}
-	enumerator->destroy(enumerator);
-
-	if (!child_sa)
+	if (child_sa->get_state(child_sa) == CHILD_ROUTED)
 	{
 		DBG1(DBG_IKE, "unable to terminate, established "
-			 "CHILD_SA with ID %d not found", reqid);
+			 "CHILD_SA with ID %d not found", id);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		listener->status = NOT_FOUND;
 		/* release listener */
@@ -584,7 +582,7 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
 }
 
 METHOD(controller_t, terminate_child, status_t,
-	controller_t *this, u_int32_t reqid,
+	controller_t *this, u_int32_t unique_id,
 	controller_cb_t callback, void *param, u_int timeout)
 {
 	interface_job_t *job;
@@ -605,7 +603,7 @@ METHOD(controller_t, terminate_child, status_t,
 				.param = param,
 			},
 			.status = FAILED,
-			.id = reqid,
+			.id = unique_id,
 			.lock = spinlock_create(),
 		},
 		.public = {
diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
index 222285cde..02f4ebb2b 100644
--- a/src/libcharon/control/controller.h
+++ b/src/libcharon/control/controller.h
@@ -118,7 +118,7 @@ struct controller_t {
 	 * If a callback is provided the function is synchronous and thus blocks
 	 * until the CHILD_SA is properly deleted, or the call timed out.
 	 *
-	 * @param reqid			reqid of the CHILD_SA to terminate
+	 * @param unique_id		CHILD_SA unique ID to terminate
 	 * @param cb			logging callback
 	 * @param param			parameter to include in each call of cb
 	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
@@ -128,7 +128,7 @@ struct controller_t {
 	 *						- NEED_MORE, if callback returned FALSE
 	 *						- OUT_OF_RES if timed out
 	 */
-	status_t (*terminate_child)(controller_t *this, u_int32_t reqid,
+	status_t (*terminate_child)(controller_t *this, u_int32_t unique_id,
 								controller_cb_t callback, void *param,
 								u_int timeout);
 
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 3ae7c4e6f..b1b8f57f0 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -474,12 +474,15 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.connect_manager);
 	DESTROY_IF(this->public.mediation_manager);
 #endif /* ME */
-	/* make sure the cache is clear before unloading plugins */
+	/* make sure the cache and scheduler are clear before unloading plugins */
 	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
+	lib->scheduler->flush(lib->scheduler);
 	lib->plugins->unload(lib->plugins);
+	DESTROY_IF(this->public.attributes);
 	DESTROY_IF(this->kernel_handler);
 	DESTROY_IF(this->public.traps);
 	DESTROY_IF(this->public.shunts);
+	DESTROY_IF(this->public.child_sa_manager);
 	DESTROY_IF(this->public.ike_sa_manager);
 	DESTROY_IF(this->public.controller);
 	DESTROY_IF(this->public.eap);
@@ -606,6 +609,7 @@ METHOD(daemon_t, initialize, bool,
 	{
 		return FALSE;
 	}
+	this->public.child_sa_manager = child_sa_manager_create();
 
 	/* Queue start_action job */
 	lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create());
@@ -642,6 +646,7 @@ private_daemon_t *daemon_create()
 		.ref = 1,
 	);
 	charon = &this->public;
+	this->public.attributes = attribute_manager_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
 	this->public.xauth = xauth_manager_create();
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 36242bb04..d16bf1ddb 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -19,6 +19,9 @@
 /**
  * @defgroup libcharon libcharon
  *
+ * @defgroup attributes attributes
+ * @ingroup libcharon
+ *
  * @defgroup bus bus
  * @ingroup libcharon
  *
@@ -152,12 +155,14 @@
 
 typedef struct daemon_t daemon_t;
 
+#include <attributes/attribute_manager.h>
 #include <network/sender.h>
 #include <network/receiver.h>
 #include <network/socket_manager.h>
 #include <control/controller.h>
 #include <bus/bus.h>
 #include <sa/ike_sa_manager.h>
+#include <sa/child_sa_manager.h>
 #include <sa/trap_manager.h>
 #include <sa/shunt_manager.h>
 #include <config/backend_manager.h>
@@ -215,6 +220,11 @@ struct daemon_t {
 	ike_sa_manager_t *ike_sa_manager;
 
 	/**
+	 * A child_sa_manager_t instance.
+	 */
+	child_sa_manager_t *child_sa_manager;
+
+	/**
 	 * Manager for triggering policies, called traps
 	 */
 	trap_manager_t *traps;
@@ -240,6 +250,11 @@ struct daemon_t {
 	receiver_t *receiver;
 
 	/**
+	 * Manager for IKE configuration attributes
+	 */
+	attribute_manager_t *attributes;
+
+	/**
 	 * The signaling bus.
 	 */
 	bus_t *bus;
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index cb6c97f25..0a596ffb0 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -180,6 +180,7 @@ static payload_order_t ike_sa_init_r_order[] = {
  */
 static payload_rule_t ike_auth_i_rules[] = {
 /*	payload type					min	max						encr	suff */
+	{PLV2_FRAGMENT,					0,	1,						TRUE,	TRUE},
 	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{PLV2_EAP,						0,	1,						TRUE,	TRUE},
 	{PLV2_AUTH,						0,	1,						TRUE,	TRUE},
@@ -227,6 +228,7 @@ static payload_order_t ike_auth_i_order[] = {
 	{PLV2_NOTIFY,					NO_ADDITIONAL_ADDRESSES},
 	{PLV2_NOTIFY,					0},
 	{PLV2_VENDOR_ID,				0},
+	{PLV2_FRAGMENT,					0},
 };
 
 /**
@@ -234,6 +236,7 @@ static payload_order_t ike_auth_i_order[] = {
  */
 static payload_rule_t ike_auth_r_rules[] = {
 /*	payload type					min	max						encr	suff */
+	{PLV2_FRAGMENT,					0,	1,						TRUE,	TRUE},
 	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{PLV2_EAP,						0,	1,						TRUE,	TRUE},
 	{PLV2_AUTH,						0,	1,						TRUE,	TRUE},
@@ -270,6 +273,7 @@ static payload_order_t ike_auth_r_order[] = {
 	{PLV2_NOTIFY,					NO_ADDITIONAL_ADDRESSES},
 	{PLV2_NOTIFY,					0},
 	{PLV2_VENDOR_ID,				0},
+	{PLV2_FRAGMENT,					0},
 };
 
 /**
@@ -277,6 +281,7 @@ static payload_order_t ike_auth_r_order[] = {
  */
 static payload_rule_t informational_i_rules[] = {
 /*	payload type					min	max						encr	suff */
+	{PLV2_FRAGMENT,					0,	1,						TRUE,	TRUE},
 	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{PLV2_CONFIGURATION,			0,	1,						TRUE,	FALSE},
 	{PLV2_DELETE,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
@@ -295,6 +300,7 @@ static payload_order_t informational_i_order[] = {
 	{PLV2_NOTIFY,					0},
 	{PLV2_DELETE,					0},
 	{PLV2_CONFIGURATION,			0},
+	{PLV2_FRAGMENT,					0},
 };
 
 /**
@@ -302,6 +308,7 @@ static payload_order_t informational_i_order[] = {
  */
 static payload_rule_t informational_r_rules[] = {
 /*	payload type					min	max						encr	suff */
+	{PLV2_FRAGMENT,					0,	1,						TRUE,	TRUE},
 	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{PLV2_CONFIGURATION,			0,	1,						TRUE,	FALSE},
 	{PLV2_DELETE,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
@@ -320,6 +327,7 @@ static payload_order_t informational_r_order[] = {
 	{PLV2_NOTIFY,					0},
 	{PLV2_DELETE,					0},
 	{PLV2_CONFIGURATION,			0},
+	{PLV2_FRAGMENT,					0},
 };
 
 /**
@@ -327,6 +335,7 @@ static payload_order_t informational_r_order[] = {
  */
 static payload_rule_t create_child_sa_i_rules[] = {
 /*	payload type					min	max						encr	suff */
+	{PLV2_FRAGMENT,					0,	1,						TRUE,	TRUE},
 	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{PLV2_SECURITY_ASSOCIATION,		1,	1,						TRUE,	FALSE},
 	{PLV2_NONCE,					1,	1,						TRUE,	FALSE},
@@ -353,6 +362,7 @@ static payload_order_t create_child_sa_i_order[] = {
 	{PLV2_TS_INITIATOR,				0},
 	{PLV2_TS_RESPONDER,				0},
 	{PLV2_NOTIFY,					0},
+	{PLV2_FRAGMENT,					0},
 };
 
 /**
@@ -360,6 +370,7 @@ static payload_order_t create_child_sa_i_order[] = {
  */
 static payload_rule_t create_child_sa_r_rules[] = {
 /*	payload type					min	max						encr	suff */
+	{PLV2_FRAGMENT,					0,	1,						TRUE,	TRUE},
 	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{PLV2_SECURITY_ASSOCIATION,		1,	1,						TRUE,	FALSE},
 	{PLV2_NONCE,					1,	1,						TRUE,	FALSE},
@@ -386,6 +397,7 @@ static payload_order_t create_child_sa_r_order[] = {
 	{PLV2_TS_RESPONDER,				0},
 	{PLV2_NOTIFY,					ADDITIONAL_TS_POSSIBLE},
 	{PLV2_NOTIFY,					0},
+	{PLV2_FRAGMENT,					0},
 };
 
 #ifdef ME
@@ -2143,6 +2155,8 @@ METHOD(message_t, parse_header, status_t,
 	}
 	ike_header->destroy(ike_header);
 
+	this->parser->set_major_version(this->parser, this->major_version);
+
 	DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
 		 this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
 		 "message" : (this->is_request ? "request" : "response"));
@@ -2463,7 +2477,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 			was_encrypted = "encrypted fragment payload";
 		}
 
-		if (payload_is_known(type) && !was_encrypted &&
+		if (payload_is_known(type, this->major_version) && !was_encrypted &&
 			!is_connectivity_check(this, payload) &&
 			this->exchange_type != AGGRESSIVE)
 		{
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index d6240fde2..f8340367e 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -59,6 +59,11 @@ struct private_parser_t {
 	parser_t public;
 
 	/**
+	 * major IKE version
+	 */
+	u_int8_t major_version;
+
+	/**
 	 * Current bit for reading in input data.
 	 */
 	u_int8_t bit_pos;
@@ -369,7 +374,14 @@ METHOD(parser_t, parse_payload, status_t,
 	encoding_rule_t *rule;
 
 	/* create instance of the payload to parse */
-	pld = payload_create(payload_type);
+	if (payload_is_known(payload_type, this->major_version))
+	{
+		pld = payload_create(payload_type);
+	}
+	else
+	{
+		pld = (payload_t*)unknown_payload_create(payload_type);
+	}
 
 	DBG2(DBG_ENC, "parsing %N payload, %d bytes left",
 		 payload_type_names, payload_type, this->input_roof - this->byte_pos);
@@ -629,6 +641,12 @@ METHOD(parser_t, reset_context, void,
 	this->bit_pos = 0;
 }
 
+METHOD(parser_t, set_major_version, void,
+	private_parser_t *this, u_int8_t major_version)
+{
+	this->major_version = major_version;
+}
+
 METHOD(parser_t, destroy, void,
 	private_parser_t *this)
 {
@@ -646,6 +664,7 @@ parser_t *parser_create(chunk_t data)
 		.public = {
 			.parse_payload = _parse_payload,
 			.reset_context = _reset_context,
+			.set_major_version = _set_major_version,
 			.get_remaining_byte_count = _get_remaining_byte_count,
 			.destroy = _destroy,
 		},
diff --git a/src/libcharon/encoding/parser.h b/src/libcharon/encoding/parser.h
index 27c5f03fe..5fd3e86ee 100644
--- a/src/libcharon/encoding/parser.h
+++ b/src/libcharon/encoding/parser.h
@@ -29,7 +29,7 @@ typedef struct parser_t parser_t;
 #include <encoding/payloads/payload.h>
 
 /**
- * A parser_t class to parse IKEv2 payloads.
+ * A parser_t class to parse IKE payloads.
  *
  * A parser is used for parsing one chunk of data. Multiple
  * payloads can be parsed out of the chunk using parse_payload.
@@ -50,7 +50,8 @@ struct parser_t {
 	 * 						- SUCCESSFUL if succeeded,
 	 * 						- PARSE_ERROR if corrupted/invalid data found
 	 */
-	status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, payload_t **payload);
+	status_t (*parse_payload) (parser_t *this, payload_type_t payload_type,
+							   payload_t **payload);
 
 	/**
 	 * Gets the remaining byte count which is not currently parsed.
@@ -63,6 +64,13 @@ struct parser_t {
 	void (*reset_context) (parser_t *this);
 
 	/**
+	 * Set the major IKE version.
+	 *
+	 * @param major_version	the major IKE version
+	 */
+	void (*set_major_version) (parser_t *this, u_int8_t major_version);
+
+	/**
 	 * Destroys a parser_t object.
 	 */
 	void (*destroy) (parser_t *this);
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
index c2ab3b951..f11ea485c 100644
--- a/src/libcharon/encoding/payloads/delete_payload.c
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
@@ -281,6 +282,19 @@ METHOD(delete_payload_t, set_ike_spi, void,
 	this->payload_length = get_header_length(this) + this->spi_size;
 }
 
+METHOD(delete_payload_t, get_ike_spi, bool,
+	private_delete_payload_t *this, u_int64_t *spi_i, u_int64_t *spi_r)
+{
+	if (this->protocol_id != PROTO_IKE ||
+		this->spis.len < 2 * sizeof(u_int64_t))
+	{
+		return FALSE;
+	}
+	memcpy(spi_i, this->spis.ptr, sizeof(u_int64_t));
+	memcpy(spi_r, this->spis.ptr + sizeof(u_int64_t), sizeof(u_int64_t));
+	return TRUE;
+}
+
 /**
  * SPI enumerator implementation
  */
@@ -352,6 +366,7 @@ delete_payload_t *delete_payload_create(payload_type_t type,
 			.get_protocol_id = _get_protocol_id,
 			.add_spi = _add_spi,
 			.set_ike_spi = _set_ike_spi,
+			.get_ike_spi = _get_ike_spi,
 			.create_spi_enumerator = _create_spi_enumerator,
 			.destroy = _destroy,
 		},
diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h
index 46a89eab6..6728718cd 100644
--- a/src/libcharon/encoding/payloads/delete_payload.h
+++ b/src/libcharon/encoding/payloads/delete_payload.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -61,6 +62,15 @@ struct delete_payload_t {
 	void (*set_ike_spi)(delete_payload_t *this, u_int64_t spi_i, u_int64_t spi_r);
 
 	/**
+	 * Get the IKE SPIs from an IKEv1 delete.
+	 *
+	 * @param spi_i			initiator SPI
+	 * @param spi_r			responder SPI
+	 * @return				TRUE if SPIs extracted successfully
+	 */
+	bool (*get_ike_spi)(delete_payload_t *this, u_int64_t *spi_i, u_int64_t *spi_r);
+
+	/**
 	 * Get an enumerator over the SPIs in network order.
 	 *
 	 * @return				enumerator over SPIs, u_int32_t
diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
index 5c574c34d..04372fdf0 100644
--- a/src/libcharon/encoding/payloads/encrypted_payload.c
+++ b/src/libcharon/encoding/payloads/encrypted_payload.c
@@ -561,6 +561,7 @@ static status_t parse(private_encrypted_payload_t *this, chunk_t plain)
 	payload_type_t type;
 
 	parser = parser_create(plain);
+	parser->set_major_version(parser, this->type == PLV1_ENCRYPTED ? 1 : 2);
 	type = this->next_payload;
 	while (type != PL_NONE)
 	{
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
index a002a8f21..bb8aab748 100644
--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -258,17 +258,20 @@ static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
 static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
 											  ts_type_t type)
 {
+	traffic_selector_t *ts;
 	chunk_t net, netmask;
 	int i;
 
 	net = chunk_create(this->id_data.ptr, this->id_data.len / 2);
-	netmask = chunk_skip(this->id_data, this->id_data.len / 2);
+	netmask = chunk_clone(chunk_skip(this->id_data, this->id_data.len / 2));
 	for (i = 0; i < net.len; i++)
 	{
 		netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
 	}
-	return traffic_selector_create_from_bytes(this->protocol_id, type,
+	ts = traffic_selector_create_from_bytes(this->protocol_id, type,
 								net, this->port, netmask, this->port ?: 65535);
+	chunk_free(&netmask);
+	return ts;
 }
 
 /**
diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c
index 4f552d6ac..50fd73f90 100644
--- a/src/libcharon/encoding/payloads/ke_payload.c
+++ b/src/libcharon/encoding/payloads/ke_payload.c
@@ -247,9 +247,15 @@ ke_payload_t *ke_payload_create(payload_type_t type)
 ke_payload_t *ke_payload_create_from_diffie_hellman(payload_type_t type,
 													diffie_hellman_t *dh)
 {
-	private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create(type);
+	private_ke_payload_t *this;
+	chunk_t value;
 
-	dh->get_my_public_value(dh, &this->key_exchange_data);
+	if (!dh->get_my_public_value(dh, &value))
+	{
+		return NULL;
+	}
+	this = (private_ke_payload_t*)ke_payload_create(type);
+	this->key_exchange_data = value;
 	this->dh_group_number = dh->get_dh_group(dh);
 	this->payload_length += this->key_exchange_data.len;
 
diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h
index dfc6308b4..96c5096a5 100644
--- a/src/libcharon/encoding/payloads/ke_payload.h
+++ b/src/libcharon/encoding/payloads/ke_payload.h
@@ -73,7 +73,7 @@ ke_payload_t *ke_payload_create(payload_type_t type);
  *
  * @param type		PLV2_KEY_EXCHANGE or PLV1_KEY_EXCHANGE
  * @param dh		diffie hellman object containing group and key
- * @return 			ke_payload_t object
+ * @return 			ke_payload_t object, NULL on error
  */
 ke_payload_t *ke_payload_create_from_diffie_hellman(payload_type_t type,
 													diffie_hellman_t *dh);
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index 94723ddd7..f32a1273f 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
 	"ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, SIGNATURE_HASH_ALGORITHMS, MS_NOTIFY_STATUS,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -112,8 +112,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY
 	"ERX_SUPPORTED",
 	"IFOM_CAPABILITY",
 	"SENDER_REQUEST_ID",
-	"FRAGMENTATION_SUPPORTED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, FRAGMENTATION_SUPPORTED,
+	"FRAGMENTATION_SUPPORTED",
+	"SIGNATURE_HASH_ALGORITHMS");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SIGNATURE_HASH_ALGORITHMS,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD_R_U_THERE",
@@ -174,7 +175,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
 	"ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, SIGNATURE_HASH_ALGORITHMS, MS_NOTIFY_STATUS,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -221,8 +222,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_
 	"ERX_SUP",
 	"IFOM_CAP",
 	"SENDER_REQ_ID",
-	"FRAG_SUP");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, FRAGMENTATION_SUPPORTED,
+	"FRAG_SUP",
+	"HASH_ALG");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SIGNATURE_HASH_ALGORITHMS,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD",
@@ -473,6 +475,14 @@ METHOD(payload_t, verify, status_t,
 			}
 			break;
 		}
+		case SIGNATURE_HASH_ALGORITHMS:
+		{
+			if (this->notify_data.len % 2)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
 		case AUTH_LIFETIME:
 		{
 			if (this->notify_data.len != 4)
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 25521c2bb..690757383 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -151,6 +151,8 @@ enum notify_type_t {
 	SENDER_REQUEST_ID = 16429,
 	/* IKEv2 fragmentation supported, RFC 7383 */
 	FRAGMENTATION_SUPPORTED = 16430,
+	/* Signature Hash Algorithms, RFC 7427 */
+	SIGNATURE_HASH_ALGORITHMS = 16431,
 	/* IKEv1 initial contact */
 	INITIAL_CONTACT_IKEV1 = 24578,
 	/* IKEv1 DPD */
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index 600b6dd68..a1cd2f945 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -266,37 +266,51 @@ payload_t *payload_create(payload_type_t type)
 /**
  * See header.
  */
-bool payload_is_known(payload_type_t type)
+bool payload_is_known(payload_type_t type, u_int8_t maj_ver)
 {
-	if (type == PL_HEADER)
+	if (type >= PL_HEADER)
 	{
 		return TRUE;
 	}
-	if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION)
+	switch (maj_ver)
 	{
-		return TRUE;
-	}
-	if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA)
-	{
-		return TRUE;
-	}
-	if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP)
-	{
-		return TRUE;
-	}
-	if (type == PLV2_FRAGMENT)
-	{
-		return TRUE;
-	}
+		case 0:
+		case IKEV1_MAJOR_VERSION:
+			if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION)
+			{
+				return TRUE;
+			}
+			if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA)
+			{
+				return TRUE;
+			}
+			if (type >= PLV1_NAT_D_DRAFT_00_03 && type <= PLV1_FRAGMENT)
+			{
+				return TRUE;
+			}
+			if (maj_ver)
+			{
+				break;
+			}
+			/* fall-through */
+		case IKEV2_MAJOR_VERSION:
+			if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP)
+			{
+				return TRUE;
+			}
+			if (type == PLV2_FRAGMENT)
+			{
+				return TRUE;
+			}
 #ifdef ME
-	if (type == PLV2_ID_PEER)
-	{
-		return TRUE;
-	}
+			if (type == PLV2_ID_PEER)
+			{
+				return TRUE;
+			}
 #endif
-	if (type >= PLV1_NAT_D_DRAFT_00_03 && type <= PLV1_FRAGMENT)
-	{
-		return TRUE;
+			break;
+		default:
+			break;
 	}
 	return FALSE;
 }
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index 036cd422d..920779bd1 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -405,9 +405,10 @@ payload_t *payload_create(payload_type_t type);
  * Check if a specific payload is implemented, or handled as unknown payload.
  *
  * @param type		type of the payload to check
+ * @param maj_ver	major IKE version (use 0 to skip version check)
  * @return			FALSE if payload type handled as unknown payload
  */
-bool payload_is_known(payload_type_t type);
+bool payload_is_known(payload_type_t type, u_int8_t maj_ver);
 
 /**
  * Get the value field in a payload using encoding rules.
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 53e8cf3ad..48dcfeb24 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2014 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -224,26 +224,7 @@ typedef enum {
 	/* FreeS/WAN proprietary */
 	IKEV1_ESP_ENCR_SERPENT = 252,
 	IKEV1_ESP_ENCR_TWOFISH = 253,
-} ikev1_esp_encr_transid_t;
-
-/**
- * IKEv1 Transform ID ESP authentication algorithm.
- */
-typedef enum {
-	IKEV1_ESP_AUTH_HMAC_MD5 = 1,
-	IKEV1_ESP_AUTH_HMAC_SHA = 2,
-	IKEV1_ESP_AUTH_DES_MAC = 3,
-	IKEV1_ESP_AUTH_KPDK = 4,
-	IKEV1_ESP_AUTH_HMAC_SHA2_256 = 5,
-	IKEV1_ESP_AUTH_HMAC_SHA2_384 = 6,
-	IKEV1_ESP_AUTH_HMAC_SHA2_512 = 7,
-	IKEV1_ESP_AUTH_HMAC_RIPEMD = 8,
-	IKEV1_ESP_AUTH_AES_XCBC_MAC = 9,
-	IKEV1_ESP_AUTH_SIG_RSA = 10,
-	IKEV1_ESP_AUTH_AES_128_GMAC = 11,
-	IKEV1_ESP_AUTH_AES_192_GMAC = 12,
-	IKEV1_ESP_AUTH_AES_256_GMAC = 13,
-} ikev1_esp_auth_transid_it;
+} ikev1_esp_transid_t;
 
 /**
  * IKEv1 Transform ID AH authentication algorithm.
@@ -264,6 +245,25 @@ typedef enum {
 } ikev1_ah_transid_t;
 
 /**
+ * IKEv1 authentication algorithm.
+ */
+typedef enum {
+	IKEV1_AUTH_HMAC_MD5 = 1,
+	IKEV1_AUTH_HMAC_SHA = 2,
+	IKEV1_AUTH_DES_MAC = 3,
+	IKEV1_AUTH_KPDK = 4,
+	IKEV1_AUTH_HMAC_SHA2_256 = 5,
+	IKEV1_AUTH_HMAC_SHA2_384 = 6,
+	IKEV1_AUTH_HMAC_SHA2_512 = 7,
+	IKEV1_AUTH_HMAC_RIPEMD = 8,
+	IKEV1_AUTH_AES_XCBC_MAC = 9,
+	IKEV1_AUTH_SIG_RSA = 10,
+	IKEV1_AUTH_AES_128_GMAC = 11,
+	IKEV1_AUTH_AES_192_GMAC = 12,
+	IKEV1_AUTH_AES_256_GMAC = 13,
+} ikev1_auth_algo_t;
+
+/**
  * IKEv1 ESP Encapsulation mode.
  */
 typedef enum {
@@ -345,7 +345,7 @@ METHOD(payload_t, verify, status_t,
 	switch (this->protocol_id)
 	{
 		case PROTO_IPCOMP:
-			if (this->spi.len != 2)
+			if (this->spi.len != 2 && this->spi.len != 4)
 			{
 				DBG1(DBG_ENC, "invalid CPI length in IPCOMP proposal");
 				return FAILED;
@@ -536,7 +536,7 @@ METHOD(proposal_substructure_t, get_cpi, bool,
 		{
 			if (cpi)
 			{
-				*cpi = *((u_int16_t*)this->spi.ptr);
+				*cpi = htons(untoh16(this->spi.ptr + this->spi.len - 2));
 			}
 			enumerator->destroy(enumerator);
 			return TRUE;
@@ -620,7 +620,7 @@ static algo_map_t map_prf[] = {
 /**
  * ESP encryption algorithm mapping
  */
-static algo_map_t map_esp_encr[] = {
+static algo_map_t map_esp[] = {
 	{ IKEV1_ESP_ENCR_DES_IV64,				ENCR_DES_IV64 },
 	{ IKEV1_ESP_ENCR_DES,					ENCR_DES },
 	{ IKEV1_ESP_ENCR_3DES,					ENCR_3DES },
@@ -646,23 +646,6 @@ static algo_map_t map_esp_encr[] = {
 };
 
 /**
- * ESP authentication algorithm mapping
- */
-static algo_map_t map_esp_auth[] = {
-	{ IKEV1_ESP_AUTH_HMAC_MD5,			AUTH_HMAC_MD5_96 },
-	{ IKEV1_ESP_AUTH_HMAC_SHA,			AUTH_HMAC_SHA1_96 },
-	{ IKEV1_ESP_AUTH_DES_MAC,			AUTH_DES_MAC },
-	{ IKEV1_ESP_AUTH_KPDK,				AUTH_KPDK_MD5 },
-	{ IKEV1_ESP_AUTH_HMAC_SHA2_256,		AUTH_HMAC_SHA2_256_128 },
-	{ IKEV1_ESP_AUTH_HMAC_SHA2_384,		AUTH_HMAC_SHA2_384_192 },
-	{ IKEV1_ESP_AUTH_HMAC_SHA2_512,		AUTH_HMAC_SHA2_512_256 },
-	{ IKEV1_ESP_AUTH_AES_XCBC_MAC,		AUTH_AES_XCBC_96 },
-	{ IKEV1_ESP_AUTH_AES_128_GMAC,		AUTH_AES_128_GMAC },
-	{ IKEV1_ESP_AUTH_AES_192_GMAC,		AUTH_AES_192_GMAC },
-	{ IKEV1_ESP_AUTH_AES_256_GMAC,		AUTH_AES_256_GMAC },
-};
-
-/**
  * AH authentication algorithm mapping
  */
 static algo_map_t map_ah[] = {
@@ -679,34 +662,30 @@ static algo_map_t map_ah[] = {
 };
 
 /**
- * Get IKEv2 algorithm from IKEv1 identifier
+ * ESP/AH authentication algorithm mapping
  */
-static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
+static algo_map_t map_auth[] = {
+	{ IKEV1_AUTH_HMAC_MD5,			AUTH_HMAC_MD5_96 },
+	{ IKEV1_AUTH_HMAC_SHA,			AUTH_HMAC_SHA1_96 },
+	{ IKEV1_AUTH_DES_MAC,			AUTH_DES_MAC },
+	{ IKEV1_AUTH_KPDK,				AUTH_KPDK_MD5 },
+	{ IKEV1_AUTH_HMAC_SHA2_256,		AUTH_HMAC_SHA2_256_128 },
+	{ IKEV1_AUTH_HMAC_SHA2_384,		AUTH_HMAC_SHA2_384_192 },
+	{ IKEV1_AUTH_HMAC_SHA2_512,		AUTH_HMAC_SHA2_512_256 },
+	{ IKEV1_AUTH_AES_XCBC_MAC,		AUTH_AES_XCBC_96 },
+	{ IKEV1_AUTH_AES_128_GMAC,		AUTH_AES_128_GMAC },
+	{ IKEV1_AUTH_AES_192_GMAC,		AUTH_AES_192_GMAC },
+	{ IKEV1_AUTH_AES_256_GMAC,		AUTH_AES_256_GMAC },
+};
+
+/**
+ * Map an IKEv1 to an IKEv2 identifier
+ */
+static u_int16_t ikev2_from_ikev1(algo_map_t *map, int count, u_int16_t def,
+								  u_int16_t value)
 {
-	algo_map_t *map;
-	u_int16_t def;
-	int i, count;
+	int i;
 
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			map = map_encr;
-			count = countof(map_encr);
-			def = ENCR_UNDEFINED;
-			break;
-		case INTEGRITY_ALGORITHM:
-			map = map_integ;
-			count = countof(map_integ);
-			def = AUTH_UNDEFINED;
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			map = map_prf;
-			count = countof(map_prf);
-			def = PRF_UNDEFINED;
-			break;
-		default:
-			return 0;
-	}
 	for (i = 0; i < count; i++)
 	{
 		if (map[i].ikev1 == value)
@@ -718,30 +697,12 @@ static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
 }
 
 /**
- * Get IKEv1 algorithm from IKEv2 identifier
+ * Map an IKEv2 to an IKEv1 identifier
  */
-static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
+static u_int16_t ikev1_from_ikev2(algo_map_t *map, int count, u_int16_t value)
 {
-	algo_map_t *map;
-	int i, count;
+	int i;
 
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			map = map_encr;
-			count = countof(map_encr);
-			break;
-		case INTEGRITY_ALGORITHM:
-			map = map_integ;
-			count = countof(map_integ);
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			map = map_prf;
-			count = countof(map_prf);
-			break;
-		default:
-			return 0;
-	}
 	for (i = 0; i < count; i++)
 	{
 		if (map[i].ikev2 == value)
@@ -753,87 +714,96 @@ static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
 }
 
 /**
- * Get IKEv2 algorithm from IKEv1 ESP transaction ID
+ * Get IKEv2 algorithm from IKEv1 identifier
  */
-static u_int16_t get_alg_from_ikev1_transid(protocol_id_t proto,
-										transform_type_t type, u_int16_t value)
+static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
 {
-	algo_map_t *map;
-	u_int16_t def;
-	int i, count;
-
 	switch (type)
 	{
 		case ENCRYPTION_ALGORITHM:
-			map = map_esp_encr;
-			count = countof(map_esp_encr);
-			def = ENCR_UNDEFINED;
-			break;
+			return ikev2_from_ikev1(map_encr, countof(map_encr),
+									ENCR_UNDEFINED, value);
 		case INTEGRITY_ALGORITHM:
-			if (proto == PROTO_ESP)
-			{
-				map = map_esp_auth;
-				count = countof(map_esp_auth);
-			}
-			else
-			{
-				map = map_ah;
-				count = countof(map_ah);
-			}
-			def = AUTH_UNDEFINED;
-			break;
+			return ikev2_from_ikev1(map_integ, countof(map_integ),
+									AUTH_UNDEFINED, value);
+		case PSEUDO_RANDOM_FUNCTION:
+			return ikev2_from_ikev1(map_prf, countof(map_prf),
+									PRF_UNDEFINED, value);
 		default:
 			return 0;
 	}
-	for (i = 0; i < count; i++)
+}
+
+/**
+ * Get IKEv1 algorithm from IKEv2 identifier
+ */
+static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
+{
+	switch (type)
 	{
-		if (map[i].ikev1 == value)
-		{
-			return map[i].ikev2;
-		}
+		case ENCRYPTION_ALGORITHM:
+			return ikev1_from_ikev2(map_encr, countof(map_encr), value);
+		case INTEGRITY_ALGORITHM:
+			return ikev1_from_ikev2(map_integ, countof(map_integ), value);
+		case PSEUDO_RANDOM_FUNCTION:
+			return ikev1_from_ikev2(map_prf, countof(map_prf), value);
+		default:
+			return 0;
 	}
-	return def;
 }
 
 /**
- * Get IKEv1 ESP/AH transaction ID from IKEv2 identifier
+ * Get IKEv2 algorithm from IKEv1 ESP/AH transform ID
  */
-static u_int16_t get_ikev1_transid_from_alg(protocol_id_t proto,
-										transform_type_t type, u_int16_t value)
+static u_int16_t get_alg_from_ikev1_transid(transform_type_t type,
+											u_int16_t value)
 {
-	algo_map_t *map;
-	int i, count;
-
 	switch (type)
 	{
 		case ENCRYPTION_ALGORITHM:
-			map = map_esp_encr;
-			count = countof(map_esp_encr);
-			break;
+			return ikev2_from_ikev1(map_esp, countof(map_esp),
+									ENCR_UNDEFINED, value);
 		case INTEGRITY_ALGORITHM:
-			if (proto == PROTO_ESP)
-			{
-				map = map_esp_auth;
-				count = countof(map_esp_auth);
-			}
-			else
-			{
-				map = map_ah;
-				count = countof(map_ah);
-			}
-			break;
+			return ikev2_from_ikev1(map_ah, countof(map_ah),
+									AUTH_UNDEFINED, value);
 		default:
 			return 0;
 	}
-	for (i = 0; i < count; i++)
+}
+
+/**
+ * Get IKEv1 ESP/AH transform ID from IKEv2 identifier
+ */
+static u_int16_t get_ikev1_transid_from_alg(transform_type_t type,
+											u_int16_t value)
+{
+	switch (type)
 	{
-		if (map[i].ikev2 == value)
-		{
-			return map[i].ikev1;
-		}
+		case ENCRYPTION_ALGORITHM:
+			return ikev1_from_ikev2(map_esp, countof(map_esp), value);
+		case INTEGRITY_ALGORITHM:
+			return ikev1_from_ikev2(map_ah, countof(map_ah), value);
+		default:
+			return 0;
 	}
-	return 0;
 }
+
+/**
+ * Get IKEv1 authentication algorithm from IKEv2 identifier
+ */
+static u_int16_t get_alg_from_ikev1_auth(u_int16_t value)
+{
+	return ikev2_from_ikev1(map_auth, countof(map_auth), AUTH_UNDEFINED, value);
+}
+
+/**
+ * Get IKEv1 authentication algorithm from IKEv2 identifier
+ */
+static u_int16_t get_ikev1_auth_from_alg(u_int16_t value)
+{
+	return ikev1_from_ikev2(map_auth, countof(map_auth), value);
+}
+
 /**
  * Get IKEv1 authentication attribute from auth_method_t
  */
@@ -971,8 +941,7 @@ static void add_to_proposal_v1(proposal_t *proposal,
 				break;
 			case TATTR_PH2_AUTH_ALGORITHM:
 				proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM,
-						get_alg_from_ikev1_transid(proto, INTEGRITY_ALGORITHM,
-												   value), 0);
+										get_alg_from_ikev1_auth(value), 0);
 				break;
 			case TATTR_PH2_GROUP:
 				proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
@@ -989,7 +958,7 @@ static void add_to_proposal_v1(proposal_t *proposal,
 							NO_EXT_SEQ_NUMBERS, 0);
 	if (proto == PROTO_ESP)
 	{
-		encr = get_alg_from_ikev1_transid(proto, ENCRYPTION_ALGORITHM,
+		encr = get_alg_from_ikev1_transid(ENCRYPTION_ALGORITHM,
 									transform->get_transform_id(transform));
 		if (encr)
 		{
@@ -1354,19 +1323,17 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
 				ipsec_mode_t mode, encap_t udp, int number)
 {
 	transform_substructure_t *transform = NULL;
-	u_int16_t alg, key_size;
+	u_int16_t alg, transid, key_size;
 	enumerator_t *enumerator;
-	protocol_id_t proto;
 
-	proto = proposal->get_protocol(proposal);
 	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
 	if (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		alg = get_ikev1_transid_from_alg(proto, ENCRYPTION_ALGORITHM, alg);
-		if (alg)
+		transid = get_ikev1_transid_from_alg(ENCRYPTION_ALGORITHM, alg);
+		if (transid)
 		{
 			transform = transform_substructure_create_type(
-									PLV1_TRANSFORM_SUBSTRUCTURE, number, alg);
+								PLV1_TRANSFORM_SUBSTRUCTURE, number, transid);
 			if (key_size)
 			{
 				transform->add_transform_attribute(transform,
@@ -1380,13 +1347,14 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
 	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
 	if (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		alg = get_ikev1_transid_from_alg(proto, INTEGRITY_ALGORITHM, alg);
-		if (alg)
+		transid = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
+		alg = get_ikev1_auth_from_alg(alg);
+		if (transid && alg)
 		{
 			if (!transform)
 			{
 				transform = transform_substructure_create_type(
-									PLV1_TRANSFORM_SUBSTRUCTURE, number, alg);
+								PLV1_TRANSFORM_SUBSTRUCTURE, number, transid);
 			}
 			transform->add_transform_attribute(transform,
 				transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c
index 059124e35..9c0e2602b 100644
--- a/src/libcharon/kernel/kernel_handler.c
+++ b/src/libcharon/kernel/kernel_handler.c
@@ -72,36 +72,39 @@ METHOD(kernel_listener_t, acquire, bool,
 }
 
 METHOD(kernel_listener_t, expire, bool,
-	private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol,
-	u_int32_t spi, bool hard)
+	private_kernel_handler_t *this, u_int8_t protocol, u_int32_t spi,
+	host_t *dst, bool hard)
 {
 	protocol_id_t proto = proto_ip2ike(protocol);
 
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
-		 hard ? "delete" : "rekey", protocol_id_names, proto, ntohl(spi), reqid);
+	DBG1(DBG_KNL, "creating %s job for CHILD_SA %N/0x%08x/%H",
+		 hard ? "delete" : "rekey", protocol_id_names, proto, ntohl(spi), dst);
 
 	if (hard)
 	{
 		lib->processor->queue_job(lib->processor,
-				(job_t*)delete_child_sa_job_create(reqid, proto, spi, hard));
+				(job_t*)delete_child_sa_job_create(proto, spi, dst, hard));
 	}
 	else
 	{
 		lib->processor->queue_job(lib->processor,
-				(job_t*)rekey_child_sa_job_create(reqid, proto, spi));
+				(job_t*)rekey_child_sa_job_create(proto, spi, dst));
 	}
 	return TRUE;
 }
 
 METHOD(kernel_listener_t, mapping, bool,
-	private_kernel_handler_t *this, u_int32_t reqid, u_int32_t spi,
-	host_t *remote)
+	private_kernel_handler_t *this, u_int8_t protocol, u_int32_t spi,
+	host_t *dst, host_t *remote)
 {
-	DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and reqid {%u} "
-		 "changed, queuing update job", ntohl(spi), reqid);
+	protocol_id_t proto = proto_ip2ike(protocol);
+
+	DBG1(DBG_KNL, "NAT mappings of CHILD_SA %N/0x%08x/%H changed to %#H, "
+		 "queuing update job", protocol_id_names, proto, ntohl(spi), dst,
+		 remote);
 
 	lib->processor->queue_job(lib->processor,
-							  (job_t*)update_sa_job_create(reqid, remote));
+						(job_t*)update_sa_job_create(proto, spi, dst, remote));
 	return TRUE;
 }
 
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index c3b014c3c..0554465b9 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 50594a452..58cf97b6e 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
index 526810355..160a145d3 100644
--- a/src/libcharon/plugins/android_dns/android_dns_handler.c
+++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
@@ -128,7 +128,7 @@ static bool set_dns_server(private_android_dns_handler_t *this, int index,
 }
 
 METHOD(attribute_handler_t, handle, bool,
-	private_android_dns_handler_t *this, identification_t *id,
+	private_android_dns_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	switch (type)
@@ -158,7 +158,7 @@ METHOD(attribute_handler_t, handle, bool,
 }
 
 METHOD(attribute_handler_t, release, void,
-	private_android_dns_handler_t *this, identification_t *server,
+	private_android_dns_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	if (type == INTERNAL_IP4_DNS)
@@ -192,7 +192,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
 }
 
 METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
-	private_android_dns_handler_t *this, identification_t *id,
+	private_android_dns_handler_t *this, ike_sa_t *ike_sa,
 	linked_list_t *vips)
 {
 	enumerator_t *enumerator;
@@ -232,4 +232,3 @@ android_dns_handler_t *android_dns_handler_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.c b/src/libcharon/plugins/android_dns/android_dns_plugin.c
index b8eb11b57..9b6ec0dba 100644
--- a/src/libcharon/plugins/android_dns/android_dns_plugin.c
+++ b/src/libcharon/plugins/android_dns/android_dns_plugin.c
@@ -16,7 +16,6 @@
 #include "android_dns_plugin.h"
 #include "android_dns_handler.h"
 
-#include <hydra.h>
 #include <daemon.h>
 
 typedef struct private_android_dns_plugin_t private_android_dns_plugin_t;
@@ -51,13 +50,13 @@ static bool plugin_cb(private_android_dns_plugin_t *this,
 {
 	if (reg)
 	{
-		hydra->attributes->add_handler(hydra->attributes,
-									   &this->handler->handler);
+		charon->attributes->add_handler(charon->attributes,
+										&this->handler->handler);
 	}
 	else
 	{
-		hydra->attributes->remove_handler(hydra->attributes,
-										  &this->handler->handler);
+		charon->attributes->remove_handler(charon->attributes,
+										   &this->handler->handler);
 	}
 	return TRUE;
 }
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 700a4219c..8ce92e577 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libcharon/plugins/attr/Makefile.am
index 5b899b80c..6bc7e77d8 100644
--- a/src/libhydra/plugins/attr/Makefile.am
+++ b/src/libcharon/plugins/attr/Makefile.am
@@ -1,6 +1,7 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in
index 50ea066c5..486b3c0b0 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libcharon/plugins/attr/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libhydra/plugins/attr
+subdir = src/libcharon/plugins/attr
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -423,7 +428,8 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
@@ -448,9 +454,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/attr/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/attr/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/attr/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/attr/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libcharon/plugins/attr/attr_plugin.c
index 72fcd6dff..9b15c3cc9 100644
--- a/src/libhydra/plugins/attr/attr_plugin.c
+++ b/src/libcharon/plugins/attr/attr_plugin.c
@@ -16,7 +16,7 @@
 #include "attr_plugin.h"
 #include "attr_provider.h"
 
-#include <hydra.h>
+#include <daemon.h>
 
 typedef struct private_attr_plugin_t private_attr_plugin_t;
 
@@ -50,13 +50,13 @@ static bool plugin_cb(private_attr_plugin_t *this,
 {
 	if (reg)
 	{
-		hydra->attributes->add_provider(hydra->attributes,
-										&this->provider->provider);
+		charon->attributes->add_provider(charon->attributes,
+										 &this->provider->provider);
 	}
 	else
 	{
-		hydra->attributes->remove_provider(hydra->attributes,
-										   &this->provider->provider);
+		charon->attributes->remove_provider(charon->attributes,
+										    &this->provider->provider);
 	}
 	return TRUE;
 }
diff --git a/src/libhydra/plugins/attr/attr_plugin.h b/src/libcharon/plugins/attr/attr_plugin.h
index 29fb33839..0c6eebfa7 100644
--- a/src/libhydra/plugins/attr/attr_plugin.h
+++ b/src/libcharon/plugins/attr/attr_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup attr attr
- * @ingroup hplugins
+ * @ingroup cplugins
  *
  * @defgroup attr_plugin attr_plugin
  * @{ @ingroup attr
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libcharon/plugins/attr/attr_provider.c
index c1788df94..cac0ae4bf 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libcharon/plugins/attr/attr_provider.c
@@ -18,7 +18,7 @@
 
 #include <time.h>
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <collections/linked_list.h>
 #include <threading/rwlock.h>
@@ -78,7 +78,7 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in,
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	private_attr_provider_t *this, linked_list_t *pools,
-	identification_t *id, linked_list_t *vips)
+	ike_sa_t *ike_sa, linked_list_t *vips)
 {
 	if (vips->get_count(vips))
 	{
diff --git a/src/libhydra/plugins/attr/attr_provider.h b/src/libcharon/plugins/attr/attr_provider.h
index 17db30408..17db30408 100644
--- a/src/libhydra/plugins/attr/attr_provider.h
+++ b/src/libcharon/plugins/attr/attr_provider.h
diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libcharon/plugins/attr_sql/Makefile.am
index 6e7eae5eb..366c902f7 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.am
+++ b/src/libcharon/plugins/attr_sql/Makefile.am
@@ -1,6 +1,7 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
@@ -13,6 +14,6 @@ endif
 
 libstrongswan_attr_sql_la_SOURCES = \
 	attr_sql_plugin.h attr_sql_plugin.c \
-	sql_attribute.h sql_attribute.c
+	attr_sql_provider.h attr_sql_provider.c
 
 libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in
index 076e1f8f2..8f1b3c0ff 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libcharon/plugins/attr_sql/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libhydra/plugins/attr_sql
+subdir = src/libcharon/plugins/attr_sql
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -129,7 +129,7 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_attr_sql_la_LIBADD =
 am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \
-	sql_attribute.lo
+	attr_sql_provider.lo
 libstrongswan_attr_sql_la_OBJECTS =  \
 	$(am_libstrongswan_attr_sql_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -426,7 +431,8 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
@@ -435,7 +441,7 @@ AM_CFLAGS = \
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la
 libstrongswan_attr_sql_la_SOURCES = \
 	attr_sql_plugin.h attr_sql_plugin.c \
-	sql_attribute.h sql_attribute.c
+	attr_sql_provider.h attr_sql_provider.c
 
 libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -451,9 +457,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/attr_sql/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/attr_sql/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/attr_sql/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/attr_sql/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -529,7 +535,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_provider.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libcharon/plugins/attr_sql/attr_sql_plugin.c
index dde90051a..908877514 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libcharon/plugins/attr_sql/attr_sql_plugin.c
@@ -14,12 +14,12 @@
  * for more details.
  */
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <plugins/plugin_feature.h>
 
 #include "attr_sql_plugin.h"
-#include "sql_attribute.h"
+#include "attr_sql_provider.h"
 
 typedef struct private_attr_sql_plugin_t private_attr_sql_plugin_t;
 
@@ -41,7 +41,7 @@ struct private_attr_sql_plugin_t {
 	/**
 	 * configuration attributes
 	 */
-	sql_attribute_t *attribute;
+	attr_sql_provider_t *attribute;
 };
 
 METHOD(plugin_t, get_name, char*,
@@ -74,14 +74,14 @@ static bool open_database(private_attr_sql_plugin_t *this,
 			DBG1(DBG_CFG, "attr-sql plugin failed to connect to database");
 			return FALSE;
 		}
-		this->attribute = sql_attribute_create(this->db);
-		hydra->attributes->add_provider(hydra->attributes,
-										&this->attribute->provider);
+		this->attribute = attr_sql_provider_create(this->db);
+		charon->attributes->add_provider(charon->attributes,
+										 &this->attribute->provider);
 	}
 	else
 	{
-		hydra->attributes->remove_provider(hydra->attributes,
-										   &this->attribute->provider);
+		charon->attributes->remove_provider(charon->attributes,
+											&this->attribute->provider);
 		this->attribute->destroy(this->attribute);
 		this->db->destroy(this->db);
 	}
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.h b/src/libcharon/plugins/attr_sql/attr_sql_plugin.h
index ba85a6b28..b6b04ccc0 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.h
+++ b/src/libcharon/plugins/attr_sql/attr_sql_plugin.h
@@ -15,9 +15,9 @@
 
 /**
  * @defgroup attr_sql attr_sql
- * @ingroup hplugins
+ * @ingroup cplugins
  *
- * @defgroup sql_plugin sql_plugin
+ * @defgroup attr_sql_plugin attr_sql_plugin
  * @{ @ingroup attr_sql
  */
 
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libcharon/plugins/attr_sql/attr_sql_provider.c
index d527c3fba..c2410705d 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libcharon/plugins/attr_sql/attr_sql_provider.c
@@ -18,19 +18,19 @@
 #include <utils/debug.h>
 #include <library.h>
 
-#include "sql_attribute.h"
+#include "attr_sql_provider.h"
 
-typedef struct private_sql_attribute_t private_sql_attribute_t;
+typedef struct private_attr_sql_provider_t private_attr_sql_provider_t;
 
 /**
- * private data of sql_attribute
+ * private data of attr_sql_provider
  */
-struct private_sql_attribute_t {
+struct private_attr_sql_provider_t {
 
 	/**
 	 * public functions
 	 */
-	sql_attribute_t public;
+	attr_sql_provider_t public;
 
 	/**
 	 * database connection
@@ -46,11 +46,14 @@ struct private_sql_attribute_t {
 /**
  * lookup/insert an identity
  */
-static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
+static u_int get_identity(private_attr_sql_provider_t *this, ike_sa_t *ike_sa)
 {
+	identification_t *id;
 	enumerator_t *e;
 	u_int row;
 
+	id = ike_sa->get_other_eap_id(ike_sa);
+
 	this->db->transaction(this->db, TRUE);
 	/* look for peer identity in the identities table */
 	e = this->db->query(this->db,
@@ -79,7 +82,7 @@ static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
 /**
  * Lookup an attribute pool by name
  */
-static u_int get_attr_pool(private_sql_attribute_t *this, char *name)
+static u_int get_attr_pool(private_attr_sql_provider_t *this, char *name)
 {
 	enumerator_t *e;
 	u_int row = 0;
@@ -99,7 +102,7 @@ static u_int get_attr_pool(private_sql_attribute_t *this, char *name)
 /**
  * Lookup pool by name and address family
  */
-static u_int get_pool(private_sql_attribute_t *this, char *name, int family,
+static u_int get_pool(private_attr_sql_provider_t *this, char *name, int family,
 					  u_int *timeout)
 {
 	enumerator_t *e;
@@ -125,7 +128,7 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, int family,
 /**
  * Look up an existing lease
  */
-static host_t* check_lease(private_sql_attribute_t *this, char *name,
+static host_t* check_lease(private_attr_sql_provider_t *this, char *name,
 						   u_int pool, u_int identity)
 {
 	while (TRUE)
@@ -171,7 +174,7 @@ static host_t* check_lease(private_sql_attribute_t *this, char *name,
  * address as a candidate, but double check later on if it is still available
  * during the update operation. This allows us to work without locking.
  */
-static host_t* get_lease(private_sql_attribute_t *this, char *name,
+static host_t* get_lease(private_attr_sql_provider_t *this, char *name,
 						 u_int pool, u_int timeout, u_int identity)
 {
 	while (TRUE)
@@ -243,7 +246,7 @@ static host_t* get_lease(private_sql_attribute_t *this, char *name,
 }
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
-	private_sql_attribute_t *this, linked_list_t *pools, identification_t *id,
+	private_attr_sql_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
 	host_t *requested)
 {
 	enumerator_t *enumerator;
@@ -252,7 +255,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 	char *name;
 	int family;
 
-	identity = get_identity(this, id);
+	identity = get_identity(this, ike_sa);
 	if (identity)
 	{
 		family = requested->get_family(requested);
@@ -295,8 +298,8 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 }
 
 METHOD(attribute_provider_t, release_address, bool,
-	private_sql_attribute_t *this, linked_list_t *pools, host_t *address,
-	identification_t *id)
+	private_attr_sql_provider_t *this, linked_list_t *pools, host_t *address,
+	ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
 	u_int pool, timeout;
@@ -338,7 +341,7 @@ METHOD(attribute_provider_t, release_address, bool,
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
-	private_sql_attribute_t *this, linked_list_t *pools, identification_t *id,
+	private_attr_sql_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
 	linked_list_t *vips)
 {
 	enumerator_t *attr_enumerator = NULL;
@@ -350,9 +353,9 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 		char *name;
 
 		/* in a first step check for attributes that match name and id */
-		if (id)
+		if (ike_sa)
 		{
-			u_int identity = get_identity(this, id);
+			u_int identity = get_identity(this, ike_sa);
 
 			pool_enumerator = pools->create_enumerator(pools);
 			while (pool_enumerator->enumerate(pool_enumerator, &name))
@@ -432,8 +435,8 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	return (attr_enumerator ? attr_enumerator : enumerator_create_empty());
 }
 
-METHOD(sql_attribute_t, destroy, void,
-	private_sql_attribute_t *this)
+METHOD(attr_sql_provider_t, destroy, void,
+	private_attr_sql_provider_t *this)
 {
 	free(this);
 }
@@ -441,9 +444,9 @@ METHOD(sql_attribute_t, destroy, void,
 /*
  * see header file
  */
-sql_attribute_t *sql_attribute_create(database_t *db)
+attr_sql_provider_t *attr_sql_provider_create(database_t *db)
 {
-	private_sql_attribute_t *this;
+	private_attr_sql_provider_t *this;
 	time_t now = time(NULL);
 
 	INIT(this,
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.h b/src/libcharon/plugins/attr_sql/attr_sql_provider.h
index ca87eb27e..a9b037bf5 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.h
+++ b/src/libcharon/plugins/attr_sql/attr_sql_provider.h
@@ -14,22 +14,22 @@
  */
 
 /**
- * @defgroup sql_attribute sql_attribute
+ * @defgroup attr_sql_provider attr_sql_provider
  * @{ @ingroup attr_sql
  */
 
-#ifndef SQL_ATTRIBUTE_H_
-#define SQL_ATTRIBUTE_H_
+#ifndef ATTR_SQL_PROVIDER_H_
+#define ATTR_SQL_PROVIDER_H_
 
 #include <attributes/attribute_provider.h>
 #include <database/database.h>
 
-typedef struct sql_attribute_t sql_attribute_t;
+typedef struct attr_sql_provider_t attr_sql_provider_t;
 
 /**
  * SQL database based IKEv2 cfg attribute provider.
  */
-struct sql_attribute_t {
+struct attr_sql_provider_t {
 
 	/**
 	 * Implements attribute provider interface
@@ -37,14 +37,14 @@ struct sql_attribute_t {
 	attribute_provider_t provider;
 
 	/**
-	 * Destroy a sql_attribute instance.
+	 * Destroy a attr_sql_provider instance.
 	 */
-	void (*destroy)(sql_attribute_t *this);
+	void (*destroy)(attr_sql_provider_t *this);
 };
 
 /**
- * Create a sql_attribute instance.
+ * Create a attr_sql_provider instance.
  */
-sql_attribute_t *sql_attribute_create(database_t *db);
+attr_sql_provider_t *attr_sql_provider_create(database_t *db);
 
-#endif /** SQL_ATTRIBUTE_H_ @}*/
+#endif /** ATTR_SQL_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 08101d51d..f946d73c1 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/connmark/Makefile.am b/src/libcharon/plugins/connmark/Makefile.am
new file mode 100644
index 000000000..cc4d0ec8d
--- /dev/null
+++ b/src/libcharon/plugins/connmark/Makefile.am
@@ -0,0 +1,20 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS) $(libiptc_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-connmark.la
+else
+plugin_LTLIBRARIES = libstrongswan-connmark.la
+endif
+
+libstrongswan_connmark_la_SOURCES = \
+	connmark_listener.h connmark_listener.c \
+	connmark_plugin.h connmark_plugin.c
+
+libstrongswan_connmark_la_LDFLAGS = -module -avoid-version
+libstrongswan_connmark_la_LIBADD = $(libiptc_LIBS)
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in
index 1aca319c7..65f53fde9 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/connmark/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libcharon/plugins/unit_tester
+subdir = src/libcharon/plugins/connmark
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -127,25 +127,23 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_unit_tester_la_LIBADD =
-am__dirstamp = $(am__leading_dot)dirstamp
-am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
-	tests/test_auth_info.lo tests/test_curl.lo tests/test_mysql.lo \
-	tests/test_sqlite.lo tests/test_cert.lo tests/test_med_db.lo \
-	tests/test_pool.lo tests/test_agent.lo
-libstrongswan_unit_tester_la_OBJECTS =  \
-	$(am_libstrongswan_unit_tester_la_OBJECTS)
+am__DEPENDENCIES_1 =
+libstrongswan_connmark_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_connmark_la_OBJECTS = connmark_listener.lo \
+	connmark_plugin.lo
+libstrongswan_connmark_la_OBJECTS =  \
+	$(am_libstrongswan_connmark_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-libstrongswan_unit_tester_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+libstrongswan_connmark_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unit_tester_la_LDFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_connmark_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_unit_tester_la_rpath = -rpath \
+@MONOLITHIC_FALSE@am_libstrongswan_connmark_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_unit_tester_la_rpath =
+@MONOLITHIC_TRUE@am_libstrongswan_connmark_la_rpath =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -180,8 +178,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
+SOURCES = $(libstrongswan_connmark_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_connmark_la_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -232,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -292,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -369,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -433,22 +436,16 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	$(PLUGIN_CFLAGS)
-
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unit-tester.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unit-tester.la
-libstrongswan_unit_tester_la_SOURCES = \
-	unit_tester.c unit_tester.h tests.h \
-	tests/test_auth_info.c \
-	tests/test_curl.c \
-	tests/test_mysql.c \
-	tests/test_sqlite.c \
-	tests/test_cert.c \
-	tests/test_med_db.c \
-	tests/test_pool.c \
-	tests/test_agent.c
-
-libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
+	$(PLUGIN_CFLAGS) $(libiptc_CFLAGS)
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-connmark.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-connmark.la
+libstrongswan_connmark_la_SOURCES = \
+	connmark_listener.h connmark_listener.c \
+	connmark_plugin.h connmark_plugin.c
+
+libstrongswan_connmark_la_LDFLAGS = -module -avoid-version
+libstrongswan_connmark_la_LIBADD = $(libiptc_LIBS)
 all: all-am
 
 .SUFFIXES:
@@ -462,9 +459,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/unit_tester/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/connmark/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/unit_tester/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/connmark/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -529,49 +526,18 @@ clean-pluginLTLIBRARIES:
 	  echo rm -f $${locs}; \
 	  rm -f $${locs}; \
 	}
-tests/$(am__dirstamp):
-	@$(MKDIR_P) tests
-	@: > tests/$(am__dirstamp)
-tests/$(DEPDIR)/$(am__dirstamp):
-	@$(MKDIR_P) tests/$(DEPDIR)
-	@: > tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_auth_info.lo: tests/$(am__dirstamp) \
-	tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_curl.lo: tests/$(am__dirstamp) \
-	tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_mysql.lo: tests/$(am__dirstamp) \
-	tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_sqlite.lo: tests/$(am__dirstamp) \
-	tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_cert.lo: tests/$(am__dirstamp) \
-	tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_med_db.lo: tests/$(am__dirstamp) \
-	tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_pool.lo: tests/$(am__dirstamp) \
-	tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_agent.lo: tests/$(am__dirstamp) \
-	tests/$(DEPDIR)/$(am__dirstamp)
-
-libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_unit_tester_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
+
+libstrongswan-connmark.la: $(libstrongswan_connmark_la_OBJECTS) $(libstrongswan_connmark_la_DEPENDENCIES) $(EXTRA_libstrongswan_connmark_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_connmark_la_LINK) $(am_libstrongswan_connmark_la_rpath) $(libstrongswan_connmark_la_OBJECTS) $(libstrongswan_connmark_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
-	-rm -f tests/*.$(OBJEXT)
-	-rm -f tests/*.lo
 
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_agent.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_auth_info.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_cert.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_curl.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_med_db.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_mysql.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_pool.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_sqlite.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connmark_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connmark_plugin.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -602,7 +568,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-	-rm -rf tests/.libs tests/_libs
 
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -719,8 +684,6 @@ clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-	-rm -f tests/$(DEPDIR)/$(am__dirstamp)
-	-rm -f tests/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -731,7 +694,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
 	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
-	-rm -rf ./$(DEPDIR) tests/$(DEPDIR)
+	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -777,7 +740,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR) tests/$(DEPDIR)
+	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
new file mode 100644
index 000000000..23df690e8
--- /dev/null
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -0,0 +1,538 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "connmark_listener.h"
+
+#include <daemon.h>
+
+#include <errno.h>
+#include <libiptc/libiptc.h>
+#include <linux/netfilter/xt_esp.h>
+#include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter/xt_MARK.h>
+#include <linux/netfilter/xt_policy.h>
+#include <linux/netfilter/xt_CONNMARK.h>
+
+
+typedef struct private_connmark_listener_t private_connmark_listener_t;
+
+/**
+ * Private data of an connmark_listener_t object.
+ */
+struct private_connmark_listener_t {
+
+	/**
+	 * Public connmark_listener_t interface.
+	 */
+	connmark_listener_t public;
+};
+
+/**
+ * Convert an (IPv4) traffic selector to an address and mask
+ */
+static bool ts2in(traffic_selector_t *ts,
+				  struct in_addr *addr, struct in_addr *mask)
+{
+	u_int8_t bits;
+	host_t *net;
+
+	if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE &&
+		ts->to_subnet(ts, &net, &bits))
+	{
+		memcpy(&addr->s_addr, net->get_address(net).ptr, 4);
+		net->destroy(net);
+		mask->s_addr = htonl(0xffffffffU << (32 - bits));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Convert an (IPv4) host to an address with mask
+ */
+static bool host2in(host_t *host, struct in_addr *addr, struct in_addr *mask)
+{
+	if (host->get_family(host) == AF_INET)
+	{
+		memcpy(&addr->s_addr, host->get_address(host).ptr, 4);
+		mask->s_addr = ~0;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Add or remove a rule to/from the specified chain
+ */
+static bool manage_rule(struct iptc_handle *ipth, const char *chain,
+						bool add, struct ipt_entry *e)
+{
+	if (add)
+	{
+		if (!iptc_insert_entry(chain, e, 0, ipth))
+		{
+			DBG1(DBG_CFG, "appending %s rule failed: %s",
+				 chain, iptc_strerror(errno));
+			return FALSE;
+		}
+	}
+	else
+	{
+		if (!iptc_delete_entry(chain, e, "", ipth))
+		{
+			DBG1(DBG_CFG, "deleting %s rule failed: %s",
+				 chain, iptc_strerror(errno));
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Add rule marking UDP-encapsulated ESP packets to match the correct policy
+ */
+static bool manage_pre_esp_in_udp(private_connmark_listener_t *this,
+								  struct iptc_handle *ipth, bool add,
+								  u_int mark, u_int32_t spi,
+								  host_t *dst, host_t *src)
+{
+	struct {
+		struct ipt_entry e;
+		struct ipt_entry_match m;
+		struct xt_udp udp;
+		struct ipt_entry_target t;
+		struct xt_mark_tginfo2 tm;
+	} ipt = {
+		.e  = {
+			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+									  sizeof(ipt.udp)),
+			.next_offset = sizeof(ipt),
+			.ip = {
+				.proto = IPPROTO_UDP,
+			},
+		},
+		.m = {
+			.u = {
+				.user = {
+					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
+					.name = "udp",
+				},
+			},
+		},
+		.udp = {
+			.spts = { src->get_port(src), src->get_port(src) },
+			.dpts = { dst->get_port(dst), dst->get_port(dst) },
+		},
+		.t = {
+			.u = {
+				.user = {
+					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
+					.name = "MARK",
+					.revision = 2,
+				},
+			},
+		},
+		.tm = {
+			.mark = mark,
+			.mask = ~0,
+		},
+	};
+
+	if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+		!host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+	{
+		return FALSE;
+	}
+	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+}
+
+/**
+ * Add rule marking non-encapsulated ESP packets to match the correct policy
+ */
+static bool manage_pre_esp(private_connmark_listener_t *this,
+						   struct iptc_handle *ipth, bool add,
+						   u_int mark, u_int32_t spi,
+						   host_t *dst, host_t *src)
+{
+	struct {
+		struct ipt_entry e;
+		struct ipt_entry_match m;
+		struct xt_esp esp;
+		struct ipt_entry_target t;
+		struct xt_mark_tginfo2 tm;
+	} ipt = {
+		.e  = {
+			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+									  sizeof(ipt.esp)),
+			.next_offset = sizeof(ipt),
+			.ip = {
+				.proto = IPPROTO_ESP,
+			},
+		},
+		.m = {
+			.u = {
+				.user = {
+					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
+					.name = "esp",
+				},
+			},
+		},
+		.esp = {
+			.spis = { htonl(spi), htonl(spi) },
+		},
+		.t = {
+			.u = {
+				.user = {
+					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
+					.name = "MARK",
+					.revision = 2,
+				},
+			},
+		},
+		.tm = {
+			.mark = mark,
+			.mask = ~0,
+		},
+	};
+
+	if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+		!host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+	{
+		return FALSE;
+	}
+	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+}
+
+/**
+ * Add rule marking ESP packets to match the correct policy
+ */
+static bool manage_pre(private_connmark_listener_t *this,
+					   struct iptc_handle *ipth, bool add,
+					   u_int mark, u_int32_t spi, bool encap,
+					   host_t *dst, host_t *src)
+{
+	if (encap)
+	{
+		return manage_pre_esp_in_udp(this, ipth, add, mark, spi, dst, src);
+	}
+	return manage_pre_esp(this, ipth, add, mark, spi, dst, src);
+}
+
+/**
+ * Add inbound rule applying CONNMARK to matching traffic
+ */
+static bool manage_in(private_connmark_listener_t *this,
+					  struct iptc_handle *ipth, bool add,
+					  u_int mark, u_int32_t spi,
+					  traffic_selector_t *dst, traffic_selector_t *src)
+{
+	struct {
+		struct ipt_entry e;
+		struct ipt_entry_match m;
+		struct xt_policy_info p;
+		struct ipt_entry_target t;
+		struct xt_connmark_tginfo1 cm;
+	} ipt = {
+		.e  = {
+			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+									  sizeof(ipt.p)),
+			.next_offset = sizeof(ipt),
+		},
+		.m = {
+			.u = {
+				.user = {
+					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)),
+					.name = "policy",
+				},
+			},
+		},
+		.p = {
+			.pol = {
+				{
+					.spi = spi,
+					.match.spi = 1,
+				},
+			},
+			.len = 1,
+			.flags = XT_POLICY_MATCH_IN,
+		},
+		.t = {
+			.u = {
+				.user = {
+					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
+					.name = "CONNMARK",
+					.revision = 1,
+				},
+			},
+		},
+		.cm = {
+			.ctmark = mark,
+			.ctmask = ~0,
+			.nfmask = ~0,
+			.mode = XT_CONNMARK_SET,
+		},
+	};
+
+	if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+		!ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+	{
+		return FALSE;
+	}
+	return manage_rule(ipth, "INPUT", add, &ipt.e);
+}
+
+/**
+ * Add outbund rule restoring CONNMARK on matching traffic
+ */
+static bool manage_out(private_connmark_listener_t *this,
+					   struct iptc_handle *ipth, bool add,
+					   traffic_selector_t *dst, traffic_selector_t *src)
+{
+	struct {
+		struct ipt_entry e;
+		struct ipt_entry_target t;
+		struct xt_connmark_tginfo1 cm;
+	} ipt = {
+		.e  = {
+			.target_offset = XT_ALIGN(sizeof(ipt.e)),
+			.next_offset = sizeof(ipt),
+		},
+		.t = {
+			.u = {
+				.user = {
+					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
+					.name = "CONNMARK",
+					.revision = 1,
+				},
+			},
+		},
+		.cm = {
+			.ctmask = ~0,
+			.nfmask = ~0,
+			.mode = XT_CONNMARK_RESTORE,
+		},
+	};
+
+	if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+		!ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+	{
+		return FALSE;
+	}
+	return manage_rule(ipth, "OUTPUT", add, &ipt.e);
+}
+
+/**
+ * Initialize iptables handle, log error
+ */
+static struct iptc_handle* init_handle()
+{
+	struct iptc_handle *ipth;
+
+	ipth = iptc_init("mangle");
+	if (ipth)
+	{
+		return ipth;
+	}
+	DBG1(DBG_CFG, "initializing iptables failed: %s", iptc_strerror(errno));
+	return NULL;
+}
+
+/**
+ * Commit iptables rules, log error
+ */
+static bool commit_handle(struct iptc_handle *ipth)
+{
+	if (iptc_commit(ipth))
+	{
+		return TRUE;
+	}
+	DBG1(DBG_CFG, "forecast iptables commit failed: %s", iptc_strerror(errno));
+	return FALSE;
+}
+
+/**
+ * Add/Remove policies for a CHILD_SA using a iptables handle
+ */
+static bool manage_policies(private_connmark_listener_t *this,
+						struct iptc_handle *ipth, host_t *dst, host_t *src,
+						bool encap, child_sa_t *child_sa, bool add)
+{
+	traffic_selector_t *local, *remote;
+	enumerator_t *enumerator;
+	u_int32_t spi;
+	u_int mark;
+	bool done = TRUE;
+
+	spi = child_sa->get_spi(child_sa, TRUE);
+	mark = child_sa->get_mark(child_sa, TRUE).value;
+
+	enumerator = child_sa->create_policy_enumerator(child_sa);
+	while (enumerator->enumerate(enumerator, &local, &remote))
+	{
+		if (!manage_pre(this, ipth, add, mark, spi, encap, dst, src) ||
+			!manage_in(this, ipth, add, mark, spi, local, remote) ||
+			!manage_out(this, ipth, add, remote, local))
+		{
+			done = FALSE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return done;
+}
+
+/**
+ * Check if rules should be installed for given CHILD_SA
+ */
+static bool handle_sa(child_sa_t *child_sa)
+{
+	return child_sa->get_mark(child_sa, TRUE).value &&
+		   child_sa->get_mark(child_sa, FALSE).value &&
+		   child_sa->get_mode(child_sa) == MODE_TRANSPORT &&
+		   child_sa->get_protocol(child_sa) == PROTO_ESP;
+}
+
+METHOD(listener_t, child_updown, bool,
+	private_connmark_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	bool up)
+{
+	struct iptc_handle *ipth;
+	host_t *dst, *src;
+	bool encap;
+
+	dst = ike_sa->get_my_host(ike_sa);
+	src = ike_sa->get_other_host(ike_sa);
+	encap = child_sa->has_encap(child_sa);
+
+	if (handle_sa(child_sa))
+	{
+		ipth = init_handle();
+		if (ipth)
+		{
+			if (manage_policies(this, ipth, dst, src, encap, child_sa, up))
+			{
+				commit_handle(ipth);
+			}
+			iptc_free(ipth);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, child_rekey, bool,
+	private_connmark_listener_t *this, ike_sa_t *ike_sa,
+	child_sa_t *old, child_sa_t *new)
+{
+	struct iptc_handle *ipth;
+	host_t *dst, *src;
+	bool oldencap, newencap;
+
+	dst = ike_sa->get_my_host(ike_sa);
+	src = ike_sa->get_other_host(ike_sa);
+	oldencap = old->has_encap(old);
+	newencap = new->has_encap(new);
+
+	if (handle_sa(old))
+	{
+		ipth = init_handle();
+		if (ipth)
+		{
+			if (manage_policies(this, ipth, dst, src, oldencap, old, FALSE) &&
+				manage_policies(this, ipth, dst, src, newencap, new, TRUE))
+			{
+				commit_handle(ipth);
+			}
+			iptc_free(ipth);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_update, bool,
+	private_connmark_listener_t *this, ike_sa_t *ike_sa,
+	bool local, host_t *new)
+{
+	struct iptc_handle *ipth;
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	host_t *dst, *src;
+	bool oldencap, newencap;
+
+	if (local)
+	{
+		dst = new;
+		src = ike_sa->get_other_host(ike_sa);
+	}
+	else
+	{
+		dst = ike_sa->get_my_host(ike_sa);
+		src = new;
+	}
+	/* during ike_update(), has_encap() on the CHILD_SA has not yet been
+	 * updated, but shows the old state. */
+	newencap = ike_sa->has_condition(ike_sa, COND_NAT_ANY);
+
+	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		if (handle_sa(child_sa))
+		{
+			oldencap = child_sa->has_encap(child_sa);
+			ipth = init_handle();
+			if (ipth)
+			{
+				if (manage_policies(this, ipth, dst, src, oldencap,
+									child_sa, FALSE) &&
+					manage_policies(this, ipth, dst, src, newencap,
+									child_sa, TRUE))
+				{
+					commit_handle(ipth);
+				}
+				iptc_free(ipth);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return TRUE;
+}
+
+METHOD(connmark_listener_t, destroy, void,
+	private_connmark_listener_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+connmark_listener_t *connmark_listener_create()
+{
+	private_connmark_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_update = _ike_update,
+				.child_updown = _child_updown,
+				.child_rekey = _child_rekey,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/connmark/connmark_listener.h b/src/libcharon/plugins/connmark/connmark_listener.h
new file mode 100644
index 000000000..2d4098fb6
--- /dev/null
+++ b/src/libcharon/plugins/connmark/connmark_listener.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup connmark_listener connmark_listener
+ * @{ @ingroup connmark
+ */
+
+#ifndef CONNMARK_LISTENER_H_
+#define CONNMARK_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct connmark_listener_t connmark_listener_t;
+
+/**
+ * Listener to install Netfilter rules
+ */
+struct connmark_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a connmark_listener_t.
+	 */
+	void (*destroy)(connmark_listener_t *this);
+};
+
+/**
+ * Create a connmark_listener instance.
+ */
+connmark_listener_t *connmark_listener_create();
+
+#endif /** CONNMARK_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/connmark/connmark_plugin.c b/src/libcharon/plugins/connmark/connmark_plugin.c
new file mode 100644
index 000000000..3f276f93e
--- /dev/null
+++ b/src/libcharon/plugins/connmark/connmark_plugin.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "connmark_plugin.h"
+#include "connmark_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_connmark_plugin_t private_connmark_plugin_t;
+
+/**
+ * private data of connmark plugin
+ */
+struct private_connmark_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	connmark_plugin_t public;
+
+	/**
+	 * Listener installing netfilter rules
+	 */
+	connmark_listener_t *listener;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_connmark_plugin_t *this)
+{
+	return "connmark";
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_connmark_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_connmark_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "connmark"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_connmark_plugin_t *this)
+{
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *connmark_plugin_create()
+{
+	private_connmark_plugin_t *this;
+
+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{
+		DBG1(DBG_NET, "connmark plugin requires CAP_NET_ADMIN capability");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.listener = connmark_listener_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/connmark/connmark_plugin.h b/src/libcharon/plugins/connmark/connmark_plugin.h
new file mode 100644
index 000000000..5b4ccebbe
--- /dev/null
+++ b/src/libcharon/plugins/connmark/connmark_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup connmark connmark
+ * @ingroup cplugins
+ *
+ * @defgroup connmark_plugin connmark_plugin
+ * @{ @ingroup connmark
+ */
+
+#ifndef CONNMARK_PLUGIN_H_
+#define CONNMARK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct connmark_plugin_t connmark_plugin_t;
+
+/**
+ * Plugin using marks to select return path SA based on conntrack.
+ */
+struct connmark_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CONNMARK_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 679d2dae6..dff80c37f 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 768c2b32b..1e84f04e2 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index c36c60d28..642e28afc 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -18,7 +18,6 @@
 
 #include "dhcp_plugin.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <plugins/plugin_feature.h>
 
@@ -69,13 +68,13 @@ static bool plugin_cb(private_dhcp_plugin_t *this,
 			return FALSE;
 		}
 		this->provider = dhcp_provider_create(this->socket);
-		hydra->attributes->add_provider(hydra->attributes,
-										&this->provider->provider);
+		charon->attributes->add_provider(charon->attributes,
+										 &this->provider->provider);
 	}
 	else
 	{
-		hydra->attributes->remove_provider(hydra->attributes,
-										   &this->provider->provider);
+		charon->attributes->remove_provider(charon->attributes,
+											&this->provider->provider);
 		this->provider->destroy(this->provider);
 		this->socket->destroy(this->socket);
 	}
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index f5325b566..f0681b1da 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -66,10 +66,11 @@ static uintptr_t hash_transaction(dhcp_transaction_t *transaction)
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
 	private_dhcp_provider_t *this, linked_list_t *pools,
-	identification_t *id, host_t *requested)
+	ike_sa_t *ike_sa, host_t *requested)
 {
 	dhcp_transaction_t *transaction, *old;
 	enumerator_t *enumerator;
+	identification_t *id;
 	char *pool;
 	host_t *vip = NULL;
 
@@ -77,6 +78,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 	{
 		return NULL;
 	}
+	id = ike_sa->get_other_eap_id(ike_sa);
 	enumerator = pools->create_enumerator(pools);
 	while (enumerator->enumerate(enumerator, &pool))
 	{
@@ -104,10 +106,11 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 
 METHOD(attribute_provider_t, release_address, bool,
 	private_dhcp_provider_t *this, linked_list_t *pools,
-	host_t *address, identification_t *id)
+	host_t *address, ike_sa_t *ike_sa)
 {
 	dhcp_transaction_t *transaction;
 	enumerator_t *enumerator;
+	identification_t *id;
 	bool found = FALSE;
 	char *pool;
 
@@ -115,6 +118,7 @@ METHOD(attribute_provider_t, release_address, bool,
 	{
 		return FALSE;
 	}
+	id = ike_sa->get_other_eap_id(ike_sa);
 	enumerator = pools->create_enumerator(pools);
 	while (enumerator->enumerate(enumerator, &pool))
 	{
@@ -139,11 +143,12 @@ METHOD(attribute_provider_t, release_address, bool,
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
-	private_dhcp_provider_t *this, linked_list_t *pools, identification_t *id,
+	private_dhcp_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
 	linked_list_t *vips)
 {
 	dhcp_transaction_t *transaction = NULL;
 	enumerator_t *enumerator;
+	identification_t *id;
 	host_t *vip;
 
 	if (pools->find_first(pools, (linked_list_match_t)streq,
@@ -152,6 +157,7 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 		return NULL;
 	}
 
+	id = ike_sa->get_other_eap_id(ike_sa);
 	this->mutex->lock(this->mutex);
 	enumerator = vips->create_enumerator(vips);
 	while (enumerator->enumerate(enumerator, &vip))
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index 3484e08a3..ed873b316 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 381d7a119..41862cb2a 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 3b0f8763c..dacddfb87 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 839a379ea..3c26b8511 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index fdbad6234..402c7cadc 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 9675104da..2279b2514 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 0610b5859..30d2c88d1 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 38c9d0b7c..14616c214 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index f5dfd6814..78dfd29e3 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 5ccd58158..2f0d65d6d 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 04cc422f5..47534372b 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 31c96d229..ac4ecfc86 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -99,7 +99,7 @@ typedef struct {
 	/** IKE_SA identifier this entry is stored under */
 	ike_sa_id_t *id;
 	/** RADIUS accounting session ID */
-	char sid[16];
+	char sid[24];
 	/** number of sent/received octets/packets */
 	struct {
 		u_int64_t sent;
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 1a48c07e5..6a4a0384e 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -26,7 +26,7 @@
 #include <radius_client.h>
 #include <radius_config.h>
 
-#include <hydra.h>
+#include <daemon.h>
 #include <threading/rwlock.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
@@ -149,19 +149,26 @@ static void load_configs(private_eap_radius_plugin_t *this)
 			continue;
 		}
 		nas_identifier = lib->settings->get_str(lib->settings,
-				"%s.plugins.eap-radius.servers.%s.nas_identifier", "strongSwan",
+				"%s.plugins.eap-radius.servers.%s.nas_identifier",
+					lib->settings->get_str(lib->settings,
+						"%s.plugins.eap-radius.nas_identifier", "strongSwan",
+						lib->ns),
 				lib->ns, section);
 		auth_port = lib->settings->get_int(lib->settings,
 			"%s.plugins.eap-radius.servers.%s.auth_port",
 				lib->settings->get_int(lib->settings,
 					"%s.plugins.eap-radius.servers.%s.port",
-					AUTH_PORT, lib->ns, section),
+						lib->settings->get_int(lib->settings,
+							"%s.plugins.eap-radius.port", AUTH_PORT, lib->ns),
+					lib->ns, section),
 			lib->ns, section);
 		acct_port = lib->settings->get_int(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT,
 				lib->ns, section);
 		sockets = lib->settings->get_int(lib->settings,
-				"%s.plugins.eap-radius.servers.%s.sockets", 1,
+				"%s.plugins.eap-radius.servers.%s.sockets",
+					lib->settings->get_int(lib->settings,
+						"%s.plugins.eap-radius.sockets", 1, lib->ns),
 				lib->ns, section);
 		preference = lib->settings->get_int(lib->settings,
 				"%s.plugins.eap-radius.servers.%s.preference", 0,
@@ -211,13 +218,13 @@ static bool plugin_cb(private_eap_radius_plugin_t *this,
 		{
 			charon->bus->add_listener(charon->bus, &this->forward->listener);
 		}
-		hydra->attributes->add_provider(hydra->attributes,
-										&this->provider->provider);
+		charon->attributes->add_provider(charon->attributes,
+										 &this->provider->provider);
 	}
 	else
 	{
-		hydra->attributes->remove_provider(hydra->attributes,
-										   &this->provider->provider);
+		charon->attributes->remove_provider(charon->attributes,
+											&this->provider->provider);
 		if (this->forward)
 		{
 			charon->bus->remove_listener(charon->bus, &this->forward->listener);
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
index 7c794616b..0cf723711 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -311,19 +311,13 @@ METHOD(listener_t, ike_rekey, bool,
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
 	private_eap_radius_provider_t *this, linked_list_t *pools,
-	identification_t *id, host_t *requested)
+	ike_sa_t *ike_sa, host_t *requested)
 {
 	enumerator_t *enumerator;
 	host_t *addr = NULL;
-	ike_sa_t *ike_sa;
 	uintptr_t sa;
 	char *name;
 
-	ike_sa = charon->bus->get_sa(charon->bus);
-	if (!ike_sa)
-	{
-		return NULL;
-	}
 	sa = ike_sa->get_unique_id(ike_sa);
 
 	enumerator = pools->create_enumerator(pools);
@@ -348,19 +342,13 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 
 METHOD(attribute_provider_t, release_address, bool,
 	private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address,
-	identification_t *id)
+	ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
 	host_t *found = NULL;
-	ike_sa_t *ike_sa;
 	uintptr_t sa;
 	char *name;
 
-	ike_sa = charon->bus->get_sa(charon->bus);
-	if (!ike_sa)
-	{
-		return FALSE;
-	}
 	sa = ike_sa->get_unique_id(ike_sa);
 
 	enumerator = pools->create_enumerator(pools);
@@ -428,18 +416,12 @@ METHOD(enumerator_t, attribute_destroy, void,
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	private_eap_radius_provider_t *this, linked_list_t *pools,
-	identification_t *id, linked_list_t *vips)
+	ike_sa_t *ike_sa, linked_list_t *vips)
 {
 	attribute_enumerator_t *enumerator;
 	attr_t *attr;
-	ike_sa_t *ike_sa;
 	uintptr_t sa;
 
-	ike_sa = charon->bus->get_sa(charon->bus);
-	if (!ike_sa)
-	{
-		return NULL;
-	}
 	sa = ike_sa->get_unique_id(ike_sa);
 
 	INIT(enumerator,
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 6a00ea74d..251eeeeba 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 7a08f4e0e..bffcbc0df 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index a1ec7adc1..78682ce37 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index bf99ab095..2a6be5fd9 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index ce4602365..de504d4cd 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 0c0b7fd52..de3508a07 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 25696f524..d4219b876 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index dffbaf266..bc01ba5df 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -109,6 +109,12 @@ METHOD(eap_method_t, is_mutual, bool,
 	return TRUE;
 }
 
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+	private_eap_tls_t *this)
+{
+	return this->tls_eap->get_auth(this->tls_eap);
+}
+
 METHOD(eap_method_t, destroy, void,
 	private_eap_tls_t *this)
 {
@@ -138,6 +144,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 				.get_msk = _get_msk,
 				.get_identifier = _get_identifier,
 				.set_identifier = _set_identifier,
+				.get_auth = _get_auth,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 2d5d65875..6c34ed098 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 62d23d064..f70f47ef6 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -256,6 +256,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 	private_eap_tnc_t *this;
 	int max_msg_count;
 	char* protocol;
+	ike_sa_t *ike_sa;
+	host_t *server_ip, *peer_ip;
 	tnccs_t *tnccs;
 	tnccs_type_t tnccs_type;
 
@@ -302,8 +304,29 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 		free(this);
 		return NULL;
 	}
+
+	/* Determine IP addresses of server and peer */
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		DBG1(DBG_TNC, "%N constructor did not find IKE_SA",
+					   eap_type_names, type);
+		free(this);
+		return NULL;
+	}
+	if (is_server)
+	{
+		server_ip = ike_sa->get_my_host(ike_sa);
+		peer_ip = ike_sa->get_other_host(ike_sa);
+	}
+	else
+	{
+		peer_ip = ike_sa->get_my_host(ike_sa);
+		server_ip = ike_sa->get_other_host(ike_sa);
+	}
+
 	tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type,
-						is_server, server, peer,
+						is_server, server, peer, server_ip, peer_ip,
 						(type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0,
 						is_server ? enforce_recommendation : NULL);
 	if (!tnccs)
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 38c7632ac..0babf1766 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index 703cd3f29..c99d47f8d 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -111,6 +111,12 @@ METHOD(eap_method_t, is_mutual, bool,
 	return TRUE;
 }
 
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+	private_eap_ttls_t *this)
+{
+	return this->tls_eap->get_auth(this->tls_eap);
+}
+
 METHOD(eap_method_t, destroy, void,
 	private_eap_ttls_t *this)
 {
@@ -141,6 +147,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 				.get_identifier = _get_identifier,
 				.set_identifier = _set_identifier,
 				.get_msk = _get_msk,
+				.get_auth = _get_auth,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index d9fa454ca..0a07aa7a3 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -237,6 +237,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -297,10 +298,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,6 +377,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
index a1b47dd33..d23e680aa 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.in
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 2bfd38ba1..318400fc9 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/forecast/Makefile.am b/src/libcharon/plugins/forecast/Makefile.am
new file mode 100644
index 000000000..ce573135d
--- /dev/null
+++ b/src/libcharon/plugins/forecast/Makefile.am
@@ -0,0 +1,21 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS) $(libiptc_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-forecast.la
+else
+plugin_LTLIBRARIES = libstrongswan-forecast.la
+endif
+
+libstrongswan_forecast_la_SOURCES = \
+	forecast_listener.h forecast_listener.c \
+	forecast_forwarder.h forecast_forwarder.c \
+	forecast_plugin.h forecast_plugin.c
+
+libstrongswan_forecast_la_LDFLAGS = -module -avoid-version
+libstrongswan_forecast_la_LIBADD = $(libiptc_LIBS)
diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in
new file mode 100644
index 000000000..7b190ca25
--- /dev/null
+++ b/src/libcharon/plugins/forecast/Makefile.in
@@ -0,0 +1,784 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/forecast
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_forecast_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_forecast_la_OBJECTS = forecast_listener.lo \
+	forecast_forwarder.lo forecast_plugin.lo
+libstrongswan_forecast_la_OBJECTS =  \
+	$(am_libstrongswan_forecast_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_forecast_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_forecast_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_forecast_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_forecast_la_rpath =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_forecast_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_forecast_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS) $(libiptc_CFLAGS)
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-forecast.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-forecast.la
+libstrongswan_forecast_la_SOURCES = \
+	forecast_listener.h forecast_listener.c \
+	forecast_forwarder.h forecast_forwarder.c \
+	forecast_plugin.h forecast_plugin.c
+
+libstrongswan_forecast_la_LDFLAGS = -module -avoid-version
+libstrongswan_forecast_la_LIBADD = $(libiptc_LIBS)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/forecast/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/forecast/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libstrongswan-forecast.la: $(libstrongswan_forecast_la_OBJECTS) $(libstrongswan_forecast_la_DEPENDENCIES) $(EXTRA_libstrongswan_forecast_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_forecast_la_LINK) $(am_libstrongswan_forecast_la_rpath) $(libstrongswan_forecast_la_OBJECTS) $(libstrongswan_forecast_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_forwarder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.c b/src/libcharon/plugins/forecast/forecast_forwarder.c
new file mode 100644
index 000000000..07a3d4953
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_forwarder.c
@@ -0,0 +1,496 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "forecast_forwarder.h"
+
+#include <errno.h>
+#include <unistd.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <linux/socket.h>
+#include <netinet/if_ether.h>
+#include <linux/if_packet.h>
+#include <linux/filter.h>
+#include <sys/ioctl.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+
+#include <hydra.h>
+#include <daemon.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+#define BOOTP_SERVER_PORT 67
+#define BOOTP_CLIENT_PORT 68
+
+typedef struct private_forecast_forwarder_t private_forecast_forwarder_t;
+typedef struct private_kernel_listener_t private_kernel_listener_t;
+
+/**
+ * Private data of registered kernel listener
+ */
+struct private_kernel_listener_t {
+
+	/**
+	 * Implements kernel_listener_t
+	 */
+	kernel_listener_t listener;
+
+	/**
+	 * Listener that knows active addresses
+	 */
+	forecast_listener_t *fc;
+
+	/**
+	 * current broadcast address of internal network
+	 */
+	u_int32_t broadcast;
+
+	/**
+	 * LAN interface index
+	 */
+	int ifindex;
+
+	/**
+	 * Packet socket
+	 */
+	int pkt;
+
+	/**
+	 * RAW socket
+	 */
+	int raw;
+};
+
+/**
+ * Private data of an forecast_forwarder_t object.
+ */
+struct private_forecast_forwarder_t {
+
+	/**
+	 * Public forecast_forwarder_t interface.
+	 */
+	forecast_forwarder_t public;
+
+	/**
+	 * Public kernel_listener_t interface.
+	 */
+	private_kernel_listener_t kernel;
+};
+
+/**
+ * Send a broadcast/multicast packet to a network
+ */
+static void send_net(private_forecast_forwarder_t *this,
+					 struct sockaddr_ll *addr, void *buf, size_t len)
+{
+	if (sendto(this->kernel.pkt, buf, len, 0,
+			   (struct sockaddr*)addr, sizeof(*addr)) != len)
+	{
+		DBG1(DBG_NET, "forecast send_net() failed: %s", strerror(errno));
+	}
+}
+
+/**
+ * Send a broadcast/multicast packet to a peer
+ */
+static void send_peer(private_forecast_forwarder_t *this, u_int32_t dst,
+					  void *buf, size_t len, int mark)
+{
+	struct sockaddr_in addr = {
+		.sin_family = AF_INET,
+		.sin_addr.s_addr = dst,
+	};
+
+	if (setsockopt(this->kernel.raw, SOL_SOCKET, SO_MARK,
+				   &mark, sizeof(mark)) != 0)
+	{
+		DBG1(DBG_NET, "forecast setting SO_MARK failed: %s", strerror(errno));
+	}
+	if (sendto(this->kernel.raw, buf, len, 0,
+			   (struct sockaddr*)&addr, sizeof(addr)) != len)
+	{
+		DBG1(DBG_NET, "forecast send_peer() failed: %s", strerror(errno));
+	}
+}
+
+/**
+ * Check if an IP packet is BOOTP/DHCP
+ */
+static bool is_bootp(void *buf, size_t len)
+{
+	struct __attribute__((__packed__)) {
+		struct iphdr ip;
+		struct udphdr udp;
+	} *pkt = buf;
+
+	if (len > sizeof(*pkt))
+	{
+		if (ntohs(pkt->udp.source) == BOOTP_CLIENT_PORT &&
+			ntohs(pkt->udp.dest) == BOOTP_SERVER_PORT)
+		{
+			return TRUE;
+		}
+		if (ntohs(pkt->udp.source) == BOOTP_SERVER_PORT &&
+			ntohs(pkt->udp.dest) == BOOTP_CLIENT_PORT)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Broadcast/Multicast receiver
+ */
+static bool receive_casts(private_forecast_forwarder_t *this)
+{
+	struct __attribute__((packed)) {
+		struct iphdr hdr;
+		char data[2048];
+	} buf;
+	char *type;
+	ssize_t len;
+	u_int mark, origin = 0;
+	host_t *src, *dst;
+	traffic_selector_t *ts;
+	enumerator_t *enumerator;
+	struct sockaddr_ll addr;
+	socklen_t alen = sizeof(addr);
+	bool reinject;
+
+	len = recvfrom(this->kernel.pkt, &buf, sizeof(buf), MSG_DONTWAIT,
+				   (struct sockaddr*)&addr, &alen);
+	if (len < 0)
+	{
+		if (errno != EAGAIN && errno != EWOULDBLOCK)
+		{
+			DBG1(DBG_NET, "receiving from forecast socket failed: %s",
+				 strerror(errno));
+		}
+		return TRUE;
+	}
+	else if (len < sizeof(struct iphdr))
+	{
+		DBG1(DBG_NET, "received short forecast packet: %zd bytes", len);
+		return TRUE;
+	}
+	if (is_bootp(&buf, len))
+	{	/* don't forward DHCP broadcasts */
+		return TRUE;
+	}
+
+	src = host_create_from_chunk(AF_INET, chunk_from_thing(buf.hdr.saddr), 0);
+	dst = host_create_from_chunk(AF_INET, chunk_from_thing(buf.hdr.daddr), 0);
+
+	/* create valid broadcast/multicast MAC to send out */
+	if (IN_MULTICAST(ntohl(buf.hdr.daddr)))
+	{
+		type = "multi";
+		ETHER_MAP_IP_MULTICAST(&buf.hdr.daddr, addr.sll_addr);
+	}
+	else
+	{
+		type = "broad";
+		memset(&addr.sll_addr, 0xFF, sizeof(addr.sll_addr));
+	}
+	DBG2(DBG_NET, "forecast intercepted packet: %H to %H", src, dst);
+
+	/* find mark of originating tunnel */
+	enumerator = this->kernel.fc->create_enumerator(this->kernel.fc, FALSE);
+	while (enumerator->enumerate(enumerator, &ts, &mark, &reinject))
+	{
+		if (ts->includes(ts, src))
+		{
+			origin = mark;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* send packet over all tunnels, but not the packets origin */
+	enumerator = this->kernel.fc->create_enumerator(this->kernel.fc, FALSE);
+	while (enumerator->enumerate(enumerator, &ts, &mark, &reinject))
+	{
+		if (ts->includes(ts, dst))
+		{
+			if ((reinject && origin != mark) || origin == 0)
+			{
+				DBG2(DBG_NET, "forwarding a %H %scast from %H to peer %R (%u)",
+					 dst, type, src, ts, mark);
+				send_peer(this, buf.hdr.daddr, &buf, len, mark);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (origin)
+	{
+		/* forward broadcast/multicast from client to network */
+		DBG2(DBG_NET, "forwarding a %H %scast from peer %H to internal network",
+			 dst, type, src);
+		addr.sll_ifindex = this->kernel.ifindex;
+		send_net(this, &addr, &buf, len);
+	}
+
+	dst->destroy(dst);
+	src->destroy(src);
+
+	return TRUE;
+}
+
+/**
+ * Join a multicast group
+ */
+static void join_group(private_kernel_listener_t *this, char *group,
+					   struct sockaddr *addr)
+{
+	struct sockaddr_in *in;
+	struct ip_mreqn mreq;
+	host_t *host;
+
+	host = host_create_from_string(group, 0);
+	if (host)
+	{
+		memset(&mreq, 0, sizeof(mreq));
+		memcpy(&mreq.imr_multiaddr.s_addr, host->get_address(host).ptr, 4);
+		if (addr->sa_family == AF_INET)
+		{
+			in = (struct sockaddr_in*)addr;
+			memcpy(&mreq.imr_address, &in->sin_addr.s_addr,
+				   sizeof(in->sin_addr.s_addr));
+		}
+		mreq.imr_ifindex = this->ifindex;
+		if (setsockopt(this->raw, IPPROTO_IP, IP_ADD_MEMBERSHIP,
+					   &mreq, sizeof(mreq)) == -1)
+		{
+			if (errno != EADDRINUSE)
+			{
+				DBG1(DBG_NET, "forecast multicast join to %s failed: %s",
+					 group, strerror(errno));
+			}
+		}
+		else
+		{
+			DBG2(DBG_NET, "forwarding multicast group %s", group);
+		}
+		host->destroy(host);
+	}
+}
+
+/**
+ * (Re-)Join all multicast groups we want to forward
+ */
+static void join_groups(private_kernel_listener_t *this, struct sockaddr *addr)
+{
+	enumerator_t *enumerator;
+	char *groups, *group;
+	static char *def =
+		"224.0.0.1,"		/* host multicast */
+		"224.0.0.22,"		/* IGMP */
+		"224.0.0.251,"		/* mDNS */
+		"224.0.0.252,"		/* LLMNR */
+		"239.255.255.250";	/* SSDP/WS-discovery */
+
+	groups = lib->settings->get_str(lib->settings,
+									"%s.plugins.forecast.groups", def, lib->ns);
+	DBG1(DBG_CFG, "joining forecast multicast groups: %s", groups);
+	enumerator = enumerator_create_token(groups, ",", " ");
+	while (enumerator->enumerate(enumerator, &group))
+	{
+		join_group(this, group, addr);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Attach the socket filter to the socket
+ */
+static bool attach_filter(int fd, u_int32_t broadcast)
+{
+	struct sock_filter filter_code[] = {
+		/* destination address: is ... */
+		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct iphdr, daddr)),
+		/* broadcast, as received from the local network */
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ntohl(broadcast), 4, 0),
+		/* broadcast, as Win7 sends them */
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0xFFFFFFFF, 3, 0),
+		/* any multicast, 224.0.0.0/4 */
+		BPF_STMT(BPF_ALU+BPF_AND+BPF_K, 0xF0000000),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0xE0000000, 1, 0),
+		BPF_STMT(BPF_RET+BPF_K, 0),
+		BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
+		BPF_STMT(BPF_RET+BPF_A, 0),
+	};
+	struct sock_fprog filter = {
+		sizeof(filter_code) / sizeof(struct sock_filter),
+		filter_code,
+	};
+
+	if (setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER,
+				   &filter, sizeof(filter)) < 0)
+	{
+		DBG1(DBG_NET, "installing forecast PACKET socket filter failed: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Get the interface index of an interface name
+ */
+static int get_ifindex(private_kernel_listener_t *this, char *ifname)
+{
+	struct ifreq ifr = {};
+
+	strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+	if (ioctl(this->raw, SIOCGIFINDEX, &ifr) == 0)
+	{
+		return ifr.ifr_ifindex;
+	}
+	return 0;
+}
+
+/**
+ * Set up the interface for broad/multicast forwarding
+ */
+static void setup_interface(private_kernel_listener_t *this)
+{
+	struct ifaddrs *addrs, *current;
+	struct sockaddr_in *in;
+	host_t *host;
+	char *name;
+
+	name = lib->settings->get_str(lib->settings,
+							"%s.plugins.forecast.interface", NULL, lib->ns);
+	if (getifaddrs(&addrs) == 0)
+	{
+		for (current = addrs; current; current = current->ifa_next)
+		{
+			if (name && !streq(name, current->ifa_name))
+			{
+				continue;
+			}
+			if (current->ifa_flags & IFF_BROADCAST &&
+				current->ifa_broadaddr &&
+				current->ifa_broadaddr->sa_family == AF_INET)
+			{
+				DBG1(DBG_NET, "using forecast interface %s", current->ifa_name);
+				this->ifindex = get_ifindex(this, current->ifa_name);
+				in = (struct sockaddr_in*)current->ifa_broadaddr;
+				attach_filter(this->pkt, in->sin_addr.s_addr);
+				join_groups(this, current->ifa_addr);
+				host = host_create_from_sockaddr(current->ifa_broadaddr);
+				if (host)
+				{
+					this->fc->set_broadcast(this->fc, host);
+					host->destroy(host);
+				}
+				break;
+			}
+		}
+	}
+	freeifaddrs(addrs);
+}
+
+METHOD(kernel_listener_t, roam, bool,
+	private_kernel_listener_t *this, bool address)
+{
+	if (address)
+	{
+		setup_interface(this);
+	}
+	return TRUE;
+}
+
+METHOD(forecast_forwarder_t, destroy, void,
+	private_forecast_forwarder_t *this)
+{
+	if (this->kernel.raw != -1)
+	{
+		close(this->kernel.raw);
+	}
+	if (this->kernel.pkt != -1)
+	{
+		lib->watcher->remove(lib->watcher, this->kernel.pkt);
+		close(this->kernel.pkt);
+	}
+	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+											 &this->kernel.listener);
+	free(this);
+}
+
+/**
+ * See header
+ */
+forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener)
+{
+	private_forecast_forwarder_t *this;
+	int on = 1;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+		.kernel = {
+			.listener = {
+				.roam = _roam,
+			},
+			.raw = -1,
+			.pkt = -1,
+			.fc = listener,
+		},
+	);
+
+	this->kernel.pkt = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_IP));
+	if (this->kernel.pkt == -1)
+	{
+		DBG1(DBG_NET, "opening PACKET socket failed: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+	this->kernel.raw = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
+	if (this->kernel.raw == -1)
+	{
+		DBG1(DBG_NET, "opening RAW socket failed: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+	if (setsockopt(this->kernel.raw, IPPROTO_IP, IP_HDRINCL,
+				   &on, sizeof(on)) == -1)
+	{
+		DBG1(DBG_NET, "forecast socket HDRINCL failed: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+	if (setsockopt(this->kernel.raw, SOL_SOCKET, SO_BROADCAST,
+				   &on, sizeof(on)) == -1)
+	{
+		DBG1(DBG_NET, "forecast socket BROADCAST failed: %s", strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+
+	setup_interface(&this->kernel);
+
+	hydra->kernel_interface->add_listener(hydra->kernel_interface,
+										  &this->kernel.listener);
+
+	lib->watcher->add(lib->watcher, this->kernel.pkt, WATCHER_READ,
+					  (watcher_cb_t)receive_casts, this);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.h b/src/libcharon/plugins/forecast/forecast_forwarder.h
new file mode 100644
index 000000000..14d107361
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_forwarder.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup forecast_forwarder forecast_forwarder
+ * @{ @ingroup forecast
+ */
+
+#ifndef FORECAST_FORWARDER_H_
+#define FORECAST_FORWARDER_H_
+
+#include "forecast_listener.h"
+
+typedef struct forecast_forwarder_t forecast_forwarder_t;
+
+/**
+ * Broadcast/Multicast sniffer and forwarder.
+ */
+struct forecast_forwarder_t {
+
+	/**
+	 * Destroy a forecast_forwarder_t.
+	 */
+	void (*destroy)(forecast_forwarder_t *this);
+};
+
+/**
+ * Create a forecast_forwarder instance.
+ *
+ * @param listener		listener to check for addresses to forward to
+ * @return				forwarder instance
+ */
+forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener);
+
+#endif /** FORECAST_FORWARDER_H_ @}*/
diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
new file mode 100644
index 000000000..63a8cb15b
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -0,0 +1,680 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "forecast_listener.h"
+
+#include <errno.h>
+#include <libiptc/libiptc.h>
+#include <linux/netfilter/xt_MARK.h>
+#include <linux/netfilter/xt_esp.h>
+
+#include <daemon.h>
+#include <collections/array.h>
+#include <collections/hashtable.h>
+#include <threading/rwlock.h>
+
+typedef struct private_forecast_listener_t private_forecast_listener_t;
+
+/**
+ * Private data of an forecast_listener_t object.
+ */
+struct private_forecast_listener_t {
+
+	/**
+	 * Public forecast_listener_t interface.
+	 */
+	forecast_listener_t public;
+
+	/**
+	 * List of entries
+	 */
+	linked_list_t *entries;
+
+	/**
+	 * RWlock for IP list
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Configs we do reinjection
+	 */
+	char *reinject_configs;
+
+	/**
+	 * Broadcast address on LAN interface, network order
+	 */
+	u_int32_t broadcast;
+};
+
+/**
+ * Hashtable entry
+ */
+typedef struct {
+	/** local traffic selectors */
+	array_t *lts;
+	/** remote traffic selectors */
+	array_t *rts;
+	/** firewall mark used by CHILD_SA */
+	u_int mark;
+	/** local IKE_SA endpoint */
+	host_t *lhost;
+	/** remote IKE_SA endpoint */
+	host_t *rhost;
+	/** inbound SPI */
+	u_int32_t spi;
+	/** use UDP encapsulation */
+	bool encap;
+	/** whether we should allow reencapsulation of IPsec received forecasts */
+	bool reinject;
+	/** broadcast address used for that entry */
+	u_int32_t broadcast;
+} entry_t;
+
+/**
+ * Destroy an entry
+ */
+static void entry_destroy(entry_t *entry)
+{
+	if (entry)
+	{
+		entry->lhost->destroy(entry->lhost);
+		entry->rhost->destroy(entry->rhost);
+		array_destroy_offset(entry->lts, offsetof(traffic_selector_t, destroy));
+		array_destroy_offset(entry->rts, offsetof(traffic_selector_t, destroy));
+		free(entry);
+	}
+}
+
+/**
+ * Convert an (IPv4) traffic selector to an address and mask
+ */
+static bool ts2in(traffic_selector_t *ts,
+				  struct in_addr *addr, struct in_addr *mask)
+{
+	u_int8_t bits;
+	host_t *net;
+
+	if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE &&
+		ts->to_subnet(ts, &net, &bits))
+	{
+		memcpy(&addr->s_addr, net->get_address(net).ptr, 4);
+		net->destroy(net);
+		mask->s_addr = htonl(0xffffffffU << (32 - bits));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Convert an (IPv4) host to an address with mask
+ */
+static bool host2in(host_t *host, struct in_addr *addr, struct in_addr *mask)
+{
+	if (host->get_family(host) == AF_INET)
+	{
+		memcpy(&addr->s_addr, host->get_address(host).ptr, 4);
+		mask->s_addr = ~0;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Add or remove a rule to/from the specified chain
+ */
+static bool manage_rule(struct iptc_handle *ipth, const char *chain,
+						bool add, struct ipt_entry *e)
+{
+	if (add)
+	{
+		if (!iptc_insert_entry(chain, e, 0, ipth))
+		{
+			DBG1(DBG_CFG, "appending %s rule failed: %s",
+				 chain, iptc_strerror(errno));
+			return FALSE;
+		}
+	}
+	else
+	{
+		if (!iptc_delete_entry(chain, e, "", ipth))
+		{
+			DBG1(DBG_CFG, "deleting %s rule failed: %s",
+				 chain, iptc_strerror(errno));
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Add rule marking UDP-encapsulated ESP packets to match the correct policy
+ */
+static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
+								  entry_t *entry, bool add)
+{
+	struct {
+		struct ipt_entry e;
+		struct ipt_entry_match m;
+		struct xt_udp udp;
+		struct ipt_entry_target t;
+		struct xt_mark_tginfo2 tm;
+	} ipt = {
+		.e  = {
+			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+									  sizeof(ipt.udp)),
+			.next_offset = sizeof(ipt),
+			.ip = {
+				.proto = IPPROTO_UDP,
+			},
+		},
+		.m = {
+			.u = {
+				.user = {
+					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
+					.name = "udp",
+				},
+			},
+		},
+		.udp = {
+			.spts = {
+				entry->rhost->get_port(entry->rhost),
+				entry->rhost->get_port(entry->lhost)
+			},
+			.dpts = {
+				entry->lhost->get_port(entry->lhost),
+				entry->lhost->get_port(entry->lhost)
+			},
+		},
+		.t = {
+			.u = {
+				.user = {
+					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
+					.name = "MARK",
+					.revision = 2,
+				},
+			},
+		},
+		.tm = {
+			.mark = entry->mark,
+			.mask = ~0,
+		},
+	};
+
+	if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+		!host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
+	{
+		return FALSE;
+	}
+	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+}
+
+/**
+ * Add rule marking non-encapsulated ESP packets to match the correct policy
+ */
+static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add)
+{
+	struct {
+		struct ipt_entry e;
+		struct ipt_entry_match m;
+		struct xt_esp esp;
+		struct ipt_entry_target t;
+		struct xt_mark_tginfo2 tm;
+	} ipt = {
+		.e  = {
+			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+									  sizeof(ipt.esp)),
+			.next_offset = sizeof(ipt),
+			.ip = {
+				.proto = IPPROTO_ESP,
+			},
+		},
+		.m = {
+			.u = {
+				.user = {
+					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
+					.name = "esp",
+				},
+			},
+		},
+		.esp = {
+			.spis = { htonl(entry->spi), htonl(entry->spi) },
+		},
+		.t = {
+			.u = {
+				.user = {
+					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
+					.name = "MARK",
+					.revision = 2,
+				},
+			},
+		},
+		.tm = {
+			.mark = entry->mark,
+			.mask = ~0,
+		},
+	};
+
+	if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+		!host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
+	{
+		return FALSE;
+	}
+	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+}
+
+/**
+ * Add rule marking ESP packets to match the correct policy
+ */
+static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add)
+{
+	if (entry->encap)
+	{
+		return manage_pre_esp_in_udp(ipth, entry, add);
+	}
+	return manage_pre_esp(ipth, entry, add);
+}
+
+/**
+ * Add rule handling outbound traffic to use correct mark
+ */
+static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add)
+{
+	struct {
+		struct ipt_entry e;
+		struct ipt_entry_target t;
+		struct xt_mark_tginfo2 m;
+	} ipt = {
+		.e  = {
+			.target_offset = XT_ALIGN(sizeof(ipt.e)),
+			.next_offset = sizeof(ipt),
+		},
+		.t = {
+			.u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)),
+			.u.user.name = "MARK",
+			.u.user.revision = 2,
+		},
+		.m = {
+			.mark = entry->mark,
+			.mask = ~0,
+		},
+	};
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+
+	enumerator = array_create_enumerator(entry->rts);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk))
+		{
+			continue;
+		}
+		if (ipt.e.ip.dst.s_addr == 0xffffffff ||
+			ipt.e.ip.dst.s_addr == entry->broadcast ||
+			memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1))
+		{
+			/* skip broadcast/multicast selectors, they are shared and the mark
+			 * is set by the socket we use for reinjection */
+			continue;
+		}
+		if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) ||
+			!manage_rule(ipth, "OUTPUT", add, &ipt.e))
+		{
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return TRUE;
+}
+
+/**
+ * Check if config is whitelisted to reinject traffic
+ */
+static bool is_reinject_config(private_forecast_listener_t *this, char *name)
+{
+	enumerator_t *enumerator;
+	bool reinject = FALSE;
+	char *token;
+
+	enumerator = enumerator_create_token(this->reinject_configs, ",", " ");
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		if (streq(token, name))
+		{
+			reinject = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return reinject;
+}
+
+/**
+ * Add rules and entry for given CHILD_SA
+ */
+static bool add_entry(private_forecast_listener_t *this,
+					  struct iptc_handle *ipth, host_t *lhost, host_t *rhost,
+					  child_sa_t *child_sa, bool encap)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+	entry_t *entry;
+
+	INIT(entry,
+		.lts = array_create(0, 0),
+		.rts = array_create(0, 0),
+		.lhost = lhost->clone(lhost),
+		.rhost = rhost->clone(rhost),
+		.spi = child_sa->get_spi(child_sa, TRUE),
+		.encap = encap,
+		.mark = child_sa->get_mark(child_sa, TRUE).value,
+		.reinject = is_reinject_config(this, child_sa->get_name(child_sa)),
+		.broadcast = this->broadcast,
+	);
+
+	enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		array_insert(entry->lts, ARRAY_TAIL, ts->clone(ts));
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		array_insert(entry->rts, ARRAY_TAIL, ts->clone(ts));
+	}
+	enumerator->destroy(enumerator);
+
+	if (manage_pre(ipth, entry, TRUE) &&
+		manage_out(ipth, entry, TRUE))
+	{
+		this->lock->write_lock(this->lock);
+		this->entries->insert_last(this->entries, entry);
+		this->lock->unlock(this->lock);
+		return TRUE;
+	}
+	entry_destroy(entry);
+	return FALSE;
+}
+
+/**
+ * Remove an entry and rules for a given mark
+ */
+static bool remove_entry(private_forecast_listener_t *this,
+						 struct iptc_handle *ipth, child_sa_t *child_sa)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool done = FALSE;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->entries->create_enumerator(this->entries);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->mark == child_sa->get_mark(child_sa, TRUE).value)
+		{
+			this->entries->remove_at(this->entries, enumerator);
+			if (manage_pre(ipth, entry, FALSE) &&
+				manage_out(ipth, entry, FALSE))
+			{
+				done = TRUE;
+			}
+			entry_destroy(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return done;
+}
+
+/**
+ * Initialize iptables handle, log error
+ */
+static struct iptc_handle* init_handle()
+{
+	struct iptc_handle *ipth;
+
+	ipth = iptc_init("mangle");
+	if (ipth)
+	{
+		return ipth;
+	}
+	DBG1(DBG_CFG, "initializing iptables failed: %s", iptc_strerror(errno));
+	return NULL;
+}
+
+/**
+ * Commit iptables rules, log error
+ */
+static bool commit_handle(struct iptc_handle *ipth)
+{
+	if (iptc_commit(ipth))
+	{
+		return TRUE;
+	}
+	DBG1(DBG_CFG, "forecast iptables commit failed: %s", iptc_strerror(errno));
+	return FALSE;
+}
+
+/**
+ * Check if we should handle the given CHILD_SA
+ */
+static bool handle_sa(child_sa_t *child_sa)
+{
+	return child_sa->get_mark(child_sa, TRUE).value &&
+		   child_sa->get_mark(child_sa, FALSE).value;
+}
+
+METHOD(listener_t, child_updown, bool,
+	private_forecast_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	bool up)
+{
+	struct iptc_handle *ipth;
+	host_t *lhost, *rhost;
+	bool encap;
+
+	lhost = ike_sa->get_my_host(ike_sa);
+	rhost = ike_sa->get_other_host(ike_sa);
+	encap = child_sa->has_encap(child_sa);
+
+	if (handle_sa(child_sa))
+	{
+		ipth = init_handle();
+		if (ipth)
+		{
+			if (up)
+			{
+				if (add_entry(this, ipth, lhost, rhost, child_sa, encap))
+				{
+					commit_handle(ipth);
+				}
+			}
+			else
+			{
+				if (remove_entry(this, ipth, child_sa))
+				{
+					commit_handle(ipth);
+				}
+			}
+			iptc_free(ipth);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, child_rekey, bool,
+	private_forecast_listener_t *this, ike_sa_t *ike_sa,
+	child_sa_t *old, child_sa_t *new)
+{
+	struct iptc_handle *ipth;;
+	host_t *lhost, *rhost;
+
+	lhost = ike_sa->get_my_host(ike_sa);
+	rhost = ike_sa->get_other_host(ike_sa);
+
+	if (handle_sa(old))
+	{
+		ipth = init_handle();
+		if (ipth)
+		{
+			if (remove_entry(this, ipth, old) &&
+				add_entry(this, ipth, lhost, rhost, new, new->has_encap(new)))
+			{
+				commit_handle(ipth);
+			}
+			iptc_free(ipth);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_update, bool,
+	private_forecast_listener_t *this, ike_sa_t *ike_sa,
+	bool local, host_t *new)
+{
+	struct iptc_handle *ipth;
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	host_t *lhost, *rhost;
+	bool encap;
+
+	if (local)
+	{
+		lhost = new;
+		rhost = ike_sa->get_other_host(ike_sa);
+	}
+	else
+	{
+		lhost = ike_sa->get_my_host(ike_sa);
+		rhost = new;
+	}
+	/* during ike_update(), has_encap() on the CHILD_SA has not yet been
+	 * updated, but shows the old state. */
+	encap = ike_sa->has_condition(ike_sa, COND_NAT_ANY);
+
+	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		if (handle_sa(child_sa))
+		{
+			ipth = init_handle();
+			if (ipth)
+			{
+				if (remove_entry(this, ipth, child_sa) &&
+					add_entry(this, ipth, lhost, rhost, child_sa, encap))
+				{
+					commit_handle(ipth);
+				}
+				iptc_free(ipth);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return TRUE;
+}
+
+/**
+ * Filter to map entries to ts/mark
+ */
+static bool ts_filter(entry_t *entry, traffic_selector_t **ts,
+					  traffic_selector_t **out, void *dummy, u_int32_t *mark,
+					  void *dummy2, bool *reinject)
+{
+	*out = *ts;
+	*mark = entry->mark;
+	*reinject = entry->reinject;
+	return TRUE;
+}
+
+/**
+ * Create inner enumerator over local traffic selectors
+ */
+static enumerator_t* create_inner_local(entry_t *entry, rwlock_t *lock)
+{
+	return enumerator_create_filter(array_create_enumerator(entry->lts),
+									(void*)ts_filter, entry, NULL);
+}
+
+/**
+ * Create inner enumerator over remote traffic selectors
+ */
+static enumerator_t* create_inner_remote(entry_t *entry, rwlock_t *lock)
+{
+	return enumerator_create_filter(array_create_enumerator(entry->rts),
+									(void*)ts_filter, entry, NULL);
+}
+
+METHOD(forecast_listener_t, create_enumerator, enumerator_t*,
+	private_forecast_listener_t *this, bool local)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_nested(
+					this->entries->create_enumerator(this->entries),
+					(void*)(local ? create_inner_local : create_inner_remote),
+					this->lock, (void*)this->lock->unlock);
+}
+
+METHOD(forecast_listener_t, set_broadcast, void,
+	private_forecast_listener_t *this, host_t *bcast)
+{
+	if (bcast->get_family(bcast) == AF_INET)
+	{
+		struct sockaddr_in *in;
+
+		in = (struct sockaddr_in*)bcast->get_sockaddr(bcast);
+		this->broadcast = in->sin_addr.s_addr;
+	}
+}
+
+METHOD(forecast_listener_t, destroy, void,
+	private_forecast_listener_t *this)
+{
+	this->entries->destroy(this->entries);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+forecast_listener_t *forecast_listener_create()
+{
+	private_forecast_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_update = _ike_update,
+				.child_updown = _child_updown,
+				.child_rekey = _child_rekey,
+			},
+			.create_enumerator = _create_enumerator,
+			.set_broadcast = _set_broadcast,
+			.destroy = _destroy,
+		},
+		.entries = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.reinject_configs = lib->settings->get_str(lib->settings,
+								"%s.plugins.forecast.reinject", "", lib->ns),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/forecast/forecast_listener.h b/src/libcharon/plugins/forecast/forecast_listener.h
new file mode 100644
index 000000000..49827ecb1
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_listener.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup forecast_listener forecast_listener
+ * @{ @ingroup forecast
+ */
+
+#ifndef FORECAST_LISTENER_H_
+#define FORECAST_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct forecast_listener_t forecast_listener_t;
+
+/**
+ * Listener to register the set of IPs we forward received multi/broadcasts to.
+ */
+struct forecast_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Create an enumerator over active tunnels.
+	 *
+	 * The enumerator enumerates over local or remote traffic selectors,
+	 * associated firewall marks and if decasulated packets should get
+	 * reinjected into other tunnels.
+	 *
+	 * @param local		TRUE to enumerate local, FALSE to enumerate remote TS
+	 * @return			enumerator over (traffic_selector_t*, u_int, bool)
+	 */
+	enumerator_t* (*create_enumerator)(forecast_listener_t *this, bool local);
+
+	/**
+	 * Set the broadcast address of the LAN interface.
+	 *
+	 * @param bcast		broadcast address
+	 */
+	void (*set_broadcast)(forecast_listener_t *this, host_t *bcast);
+
+	/**
+	 * Destroy a forecast_listener_t.
+	 */
+	void (*destroy)(forecast_listener_t *this);
+};
+
+/**
+ * Create a forecast_listener instance.
+ */
+forecast_listener_t *forecast_listener_create();
+
+#endif /** FORECAST_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/forecast/forecast_plugin.c b/src/libcharon/plugins/forecast/forecast_plugin.c
new file mode 100644
index 000000000..a129b76b2
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_plugin.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "forecast_plugin.h"
+#include "forecast_listener.h"
+#include "forecast_forwarder.h"
+
+#include <daemon.h>
+
+typedef struct private_forecast_plugin_t private_forecast_plugin_t;
+
+/**
+ * Private data of forecast plugin
+ */
+struct private_forecast_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	forecast_plugin_t public;
+
+	/**
+	 * Listener registering active tunnels
+	 */
+	forecast_listener_t *listener;
+
+	/**
+	 * Broadcast/Multicast sniffer and forwarder
+	 */
+	forecast_forwarder_t *forwarder;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_forecast_plugin_t *this)
+{
+	return "forecast";
+}
+
+/**
+ * Register plugin features
+ */
+static bool register_forecast(private_forecast_plugin_t *this,
+							  plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		this->forwarder = forecast_forwarder_create(this->listener);
+		if (!this->forwarder)
+		{
+			return FALSE;
+		}
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+		this->forwarder->destroy(this->forwarder);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_forecast_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)register_forecast, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "forecast"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_forecast_plugin_t *this)
+{
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *forecast_plugin_create()
+{
+	private_forecast_plugin_t *this;
+
+	if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{
+		DBG1(DBG_NET, "forecast plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.listener = forecast_listener_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/forecast/forecast_plugin.h b/src/libcharon/plugins/forecast/forecast_plugin.h
new file mode 100644
index 000000000..739ca4d79
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup forecast forecast
+ * @ingroup cplugins
+ *
+ * @defgroup forecast_plugin forecast_plugin
+ * @{ @ingroup forecast
+ */
+
+#ifndef FORECAST_PLUGIN_H_
+#define FORECAST_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct forecast_plugin_t forecast_plugin_t;
+
+/**
+ * Broadcast/Multicast forwarding plugin.
+ */
+struct forecast_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** FORECAST_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index aa5bdb747..de74f88cc 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index dd55fae8b..2b271a8e7 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -170,7 +170,7 @@ static bool responsible_for(private_ha_attribute_t *this, int bit)
 }
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
-	private_ha_attribute_t *this, linked_list_t *pools, identification_t *id,
+	private_ha_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
 	host_t *requested)
 {
 	enumerator_t *enumerator;
@@ -233,7 +233,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 
 METHOD(attribute_provider_t, release_address, bool,
 	private_ha_attribute_t *this, linked_list_t *pools, host_t *address,
-	identification_t *id)
+	ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
 	pool_t *pool;
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index 60e75fc7e..6c1b3471d 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -196,9 +196,26 @@ static status_t rekey_children(ike_sa_t *ike_sa)
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
 	status_t status = SUCCESS;
+	linked_list_t *children;
+	struct {
+		protocol_id_t protocol;
+		u_int32_t spi;
+	} *info;
 
+	children = linked_list_create();
 	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
-	while (enumerator->enumerate(enumerator, (void**)&child_sa))
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		INIT(info,
+			.protocol = child_sa->get_protocol(child_sa),
+			.spi = child_sa->get_spi(child_sa, TRUE),
+		);
+		children->insert_last(children, info);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = children->create_enumerator(children);
+	while (enumerator->enumerate(enumerator, &info))
 	{
 		if (ike_sa->supports_extension(ike_sa, EXT_MS_WINDOWS) &&
 			ike_sa->has_condition(ike_sa, COND_NAT_THERE))
@@ -207,17 +224,13 @@ static status_t rekey_children(ike_sa_t *ike_sa)
 			 * with an "invalid situation" error. We just close the CHILD_SA,
 			 * Windows will reestablish it immediately if required. */
 			DBG1(DBG_CFG, "resyncing CHILD_SA using a delete");
-			status = ike_sa->delete_child_sa(ike_sa,
-											 child_sa->get_protocol(child_sa),
-											 child_sa->get_spi(child_sa, TRUE),
+			status = ike_sa->delete_child_sa(ike_sa, info->protocol, info->spi,
 											 FALSE);
 		}
 		else
 		{
 			DBG1(DBG_CFG, "resyncing CHILD_SA using a rekey");
-			status = ike_sa->rekey_child_sa(ike_sa,
-											child_sa->get_protocol(child_sa),
-											child_sa->get_spi(child_sa, TRUE));
+			status = ike_sa->rekey_child_sa(ike_sa, info->protocol, info->spi);
 		}
 		if (status == DESTROY_ME)
 		{
@@ -225,6 +238,8 @@ static status_t rekey_children(ike_sa_t *ike_sa)
 		}
 	}
 	enumerator->destroy(enumerator);
+	children->destroy_function(children, free);
+
 	return status;
 }
 
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index c166d72ac..17f2d50d1 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -97,7 +97,7 @@ METHOD(listener_t, child_keys, bool,
 	}
 	m->add_attribute(m, HA_NONCE_I, nonce_i);
 	m->add_attribute(m, HA_NONCE_R, nonce_r);
-	if (dh && dh->get_shared_secret(dh, &secret) == SUCCESS)
+	if (dh && dh->get_shared_secret(dh, &secret))
 	{
 		m->add_attribute(m, HA_SECRET, secret);
 		chunk_clear(&secret);
@@ -128,7 +128,7 @@ METHOD(listener_t, child_keys, bool,
 			ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE));
 	DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R "
 		"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
-		child_sa->get_reqid(child_sa), local_ts, remote_ts,
+		child_sa->get_unique_id(child_sa), local_ts, remote_ts,
 		seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
 		seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
 
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index e20e872c1..31eeb934e 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -81,17 +81,18 @@ struct ha_diffie_hellman_t {
 	chunk_t pub;
 };
 
-METHOD(diffie_hellman_t, dh_get_shared_secret, status_t,
+METHOD(diffie_hellman_t, dh_get_shared_secret, bool,
 	ha_diffie_hellman_t *this, chunk_t *secret)
 {
 	*secret = chunk_clone(this->secret);
-	return SUCCESS;
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, dh_get_my_public_value, void,
+METHOD(diffie_hellman_t, dh_get_my_public_value, bool,
 	ha_diffie_hellman_t *this, chunk_t *value)
 {
 	*value = chunk_clone(this->pub);
+	return TRUE;
 }
 
 METHOD(diffie_hellman_t, dh_destroy, void,
@@ -373,6 +374,9 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 				else
 				{
 					DBG1(DBG_IKE, "HA is missing nodes peer configuration");
+					charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+					ike_sa = NULL;
 				}
 				break;
 			case HA_EXTENSIONS:
@@ -718,7 +722,8 @@ static void process_child_add(private_ha_dispatcher_t *this,
 
 	child_sa = child_sa_create(ike_sa->get_my_host(ike_sa),
 							   ike_sa->get_other_host(ike_sa), config, 0,
-							   ike_sa->has_condition(ike_sa, COND_NAT_ANY));
+							   ike_sa->has_condition(ike_sa, COND_NAT_ANY),
+							   0, 0);
 	child_sa->set_mode(child_sa, mode);
 	child_sa->set_protocol(child_sa, PROTO_ESP);
 	child_sa->set_ipcomp(child_sa, ipcomp);
@@ -835,7 +840,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 
 	DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R "
 		"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
-		child_sa->get_reqid(child_sa), local_ts, remote_ts,
+		child_sa->get_unique_id(child_sa), local_ts, remote_ts,
 		seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
 		seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
 	child_sa->add_policies(child_sa, local_ts, remote_ts);
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 442a3a23d..6b4b53c9c 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -84,7 +84,7 @@ METHOD(listener_t, ike_keys, bool,
 	{	/* do not sync SA between nodes */
 		return TRUE;
 	}
-	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+	if (!dh->get_shared_secret(dh, &secret))
 	{
 		return TRUE;
 	}
@@ -127,9 +127,11 @@ METHOD(listener_t, ike_keys, bool,
 	chunk_clear(&secret);
 	if (ike_sa->get_version(ike_sa) == IKEV1)
 	{
-		dh->get_my_public_value(dh, &secret);
-		m->add_attribute(m, HA_LOCAL_DH, secret);
-		chunk_free(&secret);
+		if (dh->get_my_public_value(dh, &secret))
+		{
+			m->add_attribute(m, HA_LOCAL_DH, secret);
+			chunk_free(&secret);
+		}
 		m->add_attribute(m, HA_REMOTE_DH, dh_other);
 		if (shared)
 		{
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 493cad5ec..a58377bab 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -25,7 +25,6 @@
 #include "ha_attribute.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <config/child_cfg.h>
 
 typedef struct private_ha_plugin_t private_ha_plugin_t;
@@ -108,13 +107,13 @@ static bool plugin_cb(private_ha_plugin_t *this,
 		charon->bus->add_listener(charon->bus, &this->segments->listener);
 		charon->bus->add_listener(charon->bus, &this->ike->listener);
 		charon->bus->add_listener(charon->bus, &this->child->listener);
-		hydra->attributes->add_provider(hydra->attributes,
-										&this->attr->provider);
+		charon->attributes->add_provider(charon->attributes,
+										 &this->attr->provider);
 	}
 	else
 	{
-		hydra->attributes->remove_provider(hydra->attributes,
-										   &this->attr->provider);
+		charon->attributes->remove_provider(charon->attributes,
+											&this->attr->provider);
 		charon->bus->remove_listener(charon->bus, &this->segments->listener);
 		charon->bus->remove_listener(charon->bus, &this->ike->listener);
 		charon->bus->remove_listener(charon->bus, &this->child->listener);
@@ -224,4 +223,3 @@ plugin_t *ha_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index bd3fd63aa..f98e78ffc 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index 7e1f79bd8..7a2583d06 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index c961c0bd8..6b6c95688 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index bd07a67a2..6246dc505 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -222,10 +222,10 @@ static inline bool policy_entry_equals(policy_entry_t *a,
 /**
  * Expiration callback
  */
-static void expire(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard)
+static void expire(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard)
 {
-	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
-									spi, hard);
+	hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+									spi, dst, hard);
 }
 
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
@@ -236,14 +236,14 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t *spi)
 {
-	return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, reqid, spi);
+	return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, spi);
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
+	u_int16_t *cpi)
 {
 	return NOT_SUPPORTED;
 }
@@ -254,13 +254,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	bool initiator, bool encap, bool esn, bool inbound, bool update,
+	linked_list_t *src_ts, linked_list_t *dst_ts)
 {
 	return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
 							  tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
-							  mode, ipcomp, cpi, initiator, encap, esn, inbound,
-							  src_ts, dst_ts);
+							  mode, ipcomp, cpi, initiator, encap, esn,
+							  inbound, update);
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
index 6ce1d4eb0..830954e11 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
@@ -131,35 +131,6 @@ static void deliver_plain(private_kernel_libipsec_router_t *this,
 }
 
 /**
- * Create an FD set covering all TUN devices and the read end of the notify pipe
- */
-static int collect_fds(private_kernel_libipsec_router_t *this, fd_set *fds)
-{
-	enumerator_t *enumerator;
-	tun_entry_t *entry;
-	int maxfd;
-
-	FD_ZERO(fds);
-	FD_SET(this->notify[0], fds);
-	maxfd = this->notify[0];
-
-	FD_SET(this->tun.fd, fds);
-	maxfd = max(maxfd, this->tun.fd);
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->tuns->create_enumerator(this->tuns);
-	while (enumerator->enumerate(enumerator, NULL, &entry))
-	{
-		FD_SET(entry->fd, fds);
-		maxfd = max(maxfd, entry->fd);
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-
-	return maxfd + 1;
-}
-
-/**
  * Read and process outbound plaintext packet for the given TUN device
  */
 static void process_plain(tun_device_t *tun)
@@ -183,29 +154,20 @@ static void process_plain(tun_device_t *tun)
 }
 
 /**
- * Handle waiting data for any TUN device
+ * Find flagged revents in a pollfd set by fd
  */
-static void handle_tuns(private_kernel_libipsec_router_t *this, fd_set *fds)
+static int find_revents(struct pollfd *pfd, int count, int fd)
 {
-	enumerator_t *enumerator;
-	tun_entry_t *entry;
+	int i;
 
-	if (FD_ISSET(this->tun.fd, fds))
+	for (i = 0; i < count; i++)
 	{
-		process_plain(this->tun.tun);
-	}
-
-	this->lock->read_lock(this->lock);
-	enumerator = this->tuns->create_enumerator(this->tuns);
-	while (enumerator->enumerate(enumerator, NULL, &entry))
-	{
-		if (FD_ISSET(entry->fd, fds))
+		if (pfd[i].fd == fd)
 		{
-			process_plain(entry->tun);
+			return pfd[i].revents;
 		}
 	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
+	return 0;
 }
 
 /**
@@ -213,28 +175,68 @@ static void handle_tuns(private_kernel_libipsec_router_t *this, fd_set *fds)
  */
 static job_requeue_t handle_plain(private_kernel_libipsec_router_t *this)
 {
+	enumerator_t *enumerator;
+	tun_entry_t *entry;
 	bool oldstate;
-	fd_set fds;
-	int maxfd;
+	int count = 0;
+	char buf[1];
+	struct pollfd *pfd;
+
+	this->lock->read_lock(this->lock);
 
-	maxfd = collect_fds(this, &fds);
+	pfd = alloca(sizeof(*pfd) * (this->tuns->get_count(this->tuns) + 2));
+	pfd[count].fd = this->notify[0];
+	pfd[count].events = POLLIN;
+	count++;
+	pfd[count].fd = this->tun.fd;
+	pfd[count].events = POLLIN;
+	count++;
+
+	enumerator = this->tuns->create_enumerator(this->tuns);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		pfd[count].fd = entry->fd;
+		pfd[count].events = POLLIN;
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	oldstate = thread_cancelability(TRUE);
-	if (select(maxfd, &fds, NULL, NULL, NULL) <= 0)
+	if (poll(pfd, count, -1) <= 0)
 	{
 		thread_cancelability(oldstate);
 		return JOB_REQUEUE_FAIR;
 	}
 	thread_cancelability(oldstate);
 
-	if (FD_ISSET(this->notify[0], &fds))
-	{	/* list of TUN devices changed, read notification data, rebuild FDs */
-		char buf[1];
-		while (read(this->notify[0], &buf, sizeof(buf)) == sizeof(buf));
+	if (pfd[0].revents & POLLIN)
+	{
+		/* list of TUN devices changed, read notification data, rebuild FDs */
+		while (read(this->notify[0], &buf, sizeof(buf)) == sizeof(buf))
+		{
+			/* nop */
+		}
 		return JOB_REQUEUE_DIRECT;
 	}
 
-	handle_tuns(this, &fds);
+	if (pfd[1].revents & POLLIN)
+	{
+		process_plain(this->tun.tun);
+	}
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->tuns->create_enumerator(this->tuns);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		if (find_revents(pfd, count, entry->fd) & POLLIN)
+		{
+			process_plain(entry->tun);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	return JOB_REQUEUE_DIRECT;
 }
 
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index 1c92e30fc..efb214b88 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -237,6 +237,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -297,10 +298,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -374,6 +377,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c
index 41f85ba5c..2e31aa151 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c
@@ -54,6 +54,24 @@ const GUID FWPM_LAYER_IPFORWARD_V4 = {
 const GUID FWPM_LAYER_IPFORWARD_V6 = {
 	0x7b964818, 0x19c7, 0x493a, { 0xb7,0x1f,0x83,0x2c,0x36,0x84,0xd2,0x8c }
 };
+const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V4 = {
+	0xc38d57d1, 0x05a7, 0x4c33, { 0x90,0x4f,0x7f,0xbc,0xee,0xe6,0x0e,0x82 }
+};
+const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V6 = {
+	0x4a72393b, 0x319f, 0x44bc, { 0x84,0xc3,0xba,0x54,0xdc,0xb3,0xb6,0xb4 }
+};
+const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 = {
+	0xe1cd9fe7, 0xf4b5, 0x4273, { 0x96,0xc0,0x59,0x2e,0x48,0x7b,0x86,0x50 }
+};
+const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 = {
+	0xa3b42c97, 0x9f04, 0x4672, { 0xb8,0x7e,0xce,0xe9,0xc4,0x83,0x25,0x7f }
+};
+const GUID FWPM_SUBLAYER_IPSEC_TUNNEL = {
+	0x83f299ed, 0x9ff4, 0x4967, { 0xaf,0xf4,0xc3,0x09,0xf4,0xda,0xb8,0x27 }
+};
+const GUID FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL = {
+	0xa5082e73, 0x8f71, 0x4559, { 0x8a,0x9a,0x10,0x1c,0xea,0x04,0xef,0x87 }
+};
 const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 = {
 	0x5132900d, 0x5e84, 0x4b5f, { 0x80,0xe4,0x01,0x74,0x1e,0x81,0xff,0x10 }
 };
@@ -90,6 +108,24 @@ const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 = {
 const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 = {
 	0xdae640cc, 0xe021, 0x4bee, { 0x9e,0xb6,0xa4,0x8b,0x27,0x5c,0x8c,0x1d }
 };
+const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4 = {
+	0x6ac141fc, 0xf75d, 0x4203, { 0xb9,0xc8,0x48,0xe6,0x14,0x9c,0x27,0x12 }
+};
+const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6 = {
+	0x4c0dda05, 0xe31f, 0x4666, { 0x90,0xb0,0xb3,0xdf,0xad,0x34,0x12,0x9a  }
+};
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4 = {
+	0x3df6e7de, 0xfd20, 0x48f2, { 0x9f,0x26,0xf8,0x54,0x44,0x4c,0xba,0x79 }
+};
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6 = {
+	0xa1e392d3, 0x72ac, 0x47bb, { 0x87,0xa7,0x01,0x22,0xc6,0x94,0x34,0xab }
+};
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V4 = {
+	0x7dff309b, 0xba7d, 0x4aba, { 0x91,0xaa,0xae,0x5c,0x66,0x40,0xc9,0x44 }
+};
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V6 = {
+	0xa9a0d6d9, 0xc58c, 0x474e, { 0x8a,0xeb,0x3c,0xfe,0x99,0xd6,0xd5,0x3d }
+};
 
 /**
  * Load a function symbol from a loaded dll
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
index 50a89a007..a553a0986 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
@@ -127,6 +127,10 @@ const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
 const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6;
 const GUID FWPM_LAYER_IPFORWARD_V4;
 const GUID FWPM_LAYER_IPFORWARD_V6;
+const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V4;
+const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V6;
+const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;
+const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
 const GUID FWPM_SUBLAYER_IPSEC_TUNNEL;
 const GUID FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL;
 const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4;
@@ -141,6 +145,12 @@ const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4;
 const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6;
 const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4;
 const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6;
+const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4;
+const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6;
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4;
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6;
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V4;
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V6;
 
 /* integrity config, missing in some MinGW versions */
 #ifndef IPSEC_AUTH_CONFIG_HMAC_MD5_96
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index c788bfb10..b38ded846 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -26,6 +26,8 @@
 #include <collections/hashtable.h>
 #include <processing/jobs/callback_job.h>
 
+#define IPPROTO_IPIP 4
+#define IPPROTO_IPV6 41
 
 typedef struct private_kernel_wfp_ipsec_t private_kernel_wfp_ipsec_t;
 
@@ -188,6 +190,14 @@ typedef struct {
 	u_int64_t provider;
 	/** WFP allocated LUID for SA context */
 	u_int64_t sa_id;
+	/** WFP allocated LUID for tunnel mode IP-IPv4 inbound filter */
+	u_int64_t ip_ipv4_in;
+	/** WFP allocated LUID for tunnel mode IP-IPv4 outbound filter */
+	u_int64_t ip_ipv4_out;
+	/** WFP allocated LUID for tunnel mode IP-IPv6 inbound filter */
+	u_int64_t ip_ipv6_in;
+	/** WFP allocated LUID for tunnel mode IP-IPv6 outbound filter */
+	u_int64_t ip_ipv6_out;
 } entry_t;
 
 /**
@@ -285,6 +295,22 @@ static void cleanup_policies(private_kernel_wfp_ipsec_t *this, entry_t *entry)
  */
 static void entry_destroy(private_kernel_wfp_ipsec_t *this, entry_t *entry)
 {
+	if (entry->ip_ipv4_in)
+	{
+		FwpmFilterDeleteById0(this->handle, entry->ip_ipv4_in);
+	}
+	if (entry->ip_ipv4_out)
+	{
+		FwpmFilterDeleteById0(this->handle, entry->ip_ipv4_out);
+	}
+	if (entry->ip_ipv6_in)
+	{
+		FwpmFilterDeleteById0(this->handle, entry->ip_ipv6_in);
+	}
+	if (entry->ip_ipv6_out)
+	{
+		FwpmFilterDeleteById0(this->handle, entry->ip_ipv6_out);
+	}
 	if (entry->sa_id)
 	{
 		IPsecSaContextDeleteById0(this->handle, entry->sa_id);
@@ -553,49 +579,58 @@ static void free_conditions(FWPM_FILTER_CONDITION0 *conds, int count)
  * Find the callout GUID for given parameters
  */
 static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
-						 GUID *layer, GUID *sublayer, GUID *callout)
+						 bool ale, GUID *layer, GUID *sublayer, GUID *callout)
 {
 	struct {
 		bool tunnel;
 		bool v6;
 		bool inbound;
 		bool forward;
+		bool ale;
 		const GUID *layer;
 		const GUID *sublayer;
 		const GUID *callout;
 	} map[] = {
-		{ 0, 0, 0, 0, 	&FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL,
-						&FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4			},
-		{ 0, 0, 1, 0,	&FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL,
-						&FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4			},
-		{ 0, 1, 0, 0,	&FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL,
-						&FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6			},
-		{ 0, 1, 1, 0,	&FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL,
-						&FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6			},
-		{ 1, 0, 0, 0,	&FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
-						&FWPM_SUBLAYER_IPSEC_TUNNEL,
-						&FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4				},
-		{ 1, 0, 0, 1,	&FWPM_LAYER_IPFORWARD_V4,
-						&FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
-						&FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4		},
-		{ 1, 0, 1, 0,	&FWPM_LAYER_INBOUND_TRANSPORT_V4,
-						&FWPM_SUBLAYER_IPSEC_TUNNEL,
-						&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4				},
-		{ 1, 0, 1, 1,	&FWPM_LAYER_IPFORWARD_V4,
-						&FWPM_SUBLAYER_IPSEC_TUNNEL,
-						&FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4		},
-		{ 1, 1, 0, 0,	&FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
-						&FWPM_SUBLAYER_IPSEC_TUNNEL,
-						&FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6				},
-		{ 1, 1, 0, 1,	&FWPM_LAYER_IPFORWARD_V6,
-						&FWPM_SUBLAYER_IPSEC_TUNNEL,
-						&FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6		},
-		{ 1, 1, 1, 0,	&FWPM_LAYER_INBOUND_TRANSPORT_V6,
-						&FWPM_SUBLAYER_IPSEC_TUNNEL,
-						&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6				},
-		{ 1, 1, 1, 1,	&FWPM_LAYER_IPFORWARD_V6,
-						&FWPM_SUBLAYER_IPSEC_TUNNEL,
-						&FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6		},
+		{ 0, 0, 0, 0, 0,	&FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL,
+							&FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4		},
+		{ 0, 0, 1, 0, 0,	&FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL,
+							&FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4		},
+		{ 0, 1, 0, 0, 0,	&FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL,
+							&FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6		},
+		{ 0, 1, 1, 0, 0,	&FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL,
+							&FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6		},
+		{ 1, 0, 0, 0, 0,	&FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
+							&FWPM_SUBLAYER_IPSEC_TUNNEL,
+							&FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4			},
+		{ 1, 0, 0, 1, 0,	&FWPM_LAYER_IPFORWARD_V4,
+							&FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
+							&FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4	},
+		{ 1, 0, 1, 0, 0,	&FWPM_LAYER_INBOUND_TRANSPORT_V4,
+							&FWPM_SUBLAYER_IPSEC_TUNNEL,
+							&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4			},
+		{ 1, 0, 1, 1, 0,	&FWPM_LAYER_IPFORWARD_V4,
+							&FWPM_SUBLAYER_IPSEC_TUNNEL,
+							&FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4	},
+		{ 1, 0, 0, 0, 1,	&FWPM_LAYER_ALE_AUTH_CONNECT_V4, NULL,
+							&FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4				},
+		{ 1, 0, 1, 0, 1,	&FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, NULL,
+							&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4},
+		{ 1, 1, 0, 0, 0,	&FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
+							&FWPM_SUBLAYER_IPSEC_TUNNEL,
+							&FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6			},
+		{ 1, 1, 0, 1, 0,	&FWPM_LAYER_IPFORWARD_V6,
+							&FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
+							&FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6	},
+		{ 1, 1, 1, 0, 0,	&FWPM_LAYER_INBOUND_TRANSPORT_V6,
+							&FWPM_SUBLAYER_IPSEC_TUNNEL,
+							&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6			},
+		{ 1, 1, 1, 1, 0,	&FWPM_LAYER_IPFORWARD_V6,
+							&FWPM_SUBLAYER_IPSEC_TUNNEL,
+							&FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6	},
+		{ 1, 1, 0, 0, 1,	&FWPM_LAYER_ALE_AUTH_CONNECT_V6, NULL,
+							&FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6				},
+		{ 1, 1, 1, 0, 1,	&FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, NULL,
+							&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6},
 	};
 	int i;
 
@@ -604,7 +639,8 @@ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
 		if (tunnel == map[i].tunnel &&
 			v6 == map[i].v6 &&
 			inbound == map[i].inbound &&
-			forward == map[i].forward)
+			forward == map[i].forward &&
+			ale == map[i].ale)
 		{
 			*callout = *map[i].callout;
 			*layer = *map[i].layer;
@@ -647,7 +683,7 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
 	}
 
 	v6 = sp->src->get_type(sp->src) == TS_IPV6_ADDR_RANGE;
-	if (!find_callout(context != NULL, v6, inbound, fwd,
+	if (!find_callout(context != NULL, v6, inbound, fwd, FALSE,
 					  &filter.layerKey, &filter.subLayerKey,
 					  &filter.action.calloutKey))
 	{
@@ -688,8 +724,73 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
 	free_conditions(conds, count);
 	if (res != ERROR_SUCCESS)
 	{
-		DBG1(DBG_KNL, "installing %s%sbound WFP filter failed: 0x%08x",
-			 fwd ? "forward " : "", inbound ? "in" : "out", res);
+		DBG1(DBG_KNL, "installing IPv%d %s%sbound %s WFP filter failed: 0x%08x",
+			 v6 ? 6 : 4, fwd ? "forward " : "", inbound ? "in" : "out",
+			 context ? "tunnel" : "transport", res);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Install an IP-IP allow filter for SA specific hosts
+ */
+static bool install_ipip_ale(private_kernel_wfp_ipsec_t *this,
+							 host_t *local, host_t *remote, GUID *context,
+							 bool inbound, int proto, u_int64_t *filter_id)
+{
+	traffic_selector_t *lts, *rts;
+	FWPM_FILTER_CONDITION0 *conds = NULL;
+	int count = 0;
+	bool v6;
+	DWORD res;
+	FWPM_FILTER0 filter = {
+		.displayData = {
+			.name = L"charon IPsec IP-in-IP ALE policy",
+		},
+		.action = {
+			.type = FWP_ACTION_CALLOUT_TERMINATING,
+		},
+	};
+
+	if (context)
+	{
+		filter.flags |= FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT;
+		filter.providerKey = (GUID*)&this->provider.providerKey;
+		filter.providerContextKey = *context;
+	}
+
+	v6 = local->get_family(local) == AF_INET6;
+	if (!find_callout(TRUE, v6, inbound, FALSE, TRUE, &filter.layerKey,
+					  &filter.subLayerKey, &filter.action.calloutKey))
+	{
+		return FALSE;
+	}
+
+	lts = traffic_selector_create_from_subnet(local->clone(local),
+											v6 ? 128 : 32 , proto, 0, 65535);
+	rts = traffic_selector_create_from_subnet(remote->clone(remote),
+											v6 ? 128 : 32 , proto, 0, 65535);
+	if (!ts2condition(lts, &FWPM_CONDITION_IP_LOCAL_ADDRESS, &conds, &count) ||
+		!ts2condition(rts, &FWPM_CONDITION_IP_REMOTE_ADDRESS, &conds, &count))
+	{
+		free_conditions(conds, count);
+		lts->destroy(lts);
+		rts->destroy(rts);
+		return FALSE;
+	}
+	lts->destroy(lts);
+	rts->destroy(rts);
+
+	filter.numFilterConditions = count;
+	filter.filterCondition = conds;
+
+	res = FwpmFilterAdd0(this->handle, &filter, NULL, filter_id);
+	free_conditions(conds, count);
+	if (res != ERROR_SUCCESS)
+	{
+		DBG1(DBG_KNL, "installing IP-IPv%d %s ALE WFP filter failed: 0x%08x",
+			 v6 ? 6 : 4, inbound ? "inbound" : "outbound", res);
 		return FALSE;
 	}
 	return TRUE;
@@ -703,10 +804,21 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this,
 {
 	enumerator_t *enumerator;
 	sp_entry_t *sp;
+	bool has_v4 = FALSE, has_v6 = FALSE;
 
 	enumerator = array_create_enumerator(entry->sps);
 	while (enumerator->enumerate(enumerator, &sp))
 	{
+		switch (sp->src->get_type(sp->src))
+		{
+			case TS_IPV4_ADDR_RANGE:
+				has_v4 = TRUE;
+				break;
+			case TS_IPV6_ADDR_RANGE:
+				has_v6 = TRUE;
+				break;
+		}
+
 		/* inbound policy */
 		if (!install_sp(this, sp, context, TRUE, FALSE, &sp->policy_in))
 		{
@@ -719,21 +831,22 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this,
 			enumerator->destroy(enumerator);
 			return FALSE;
 		}
+
 		if (context)
 		{
 			if (!sp->src->is_host(sp->src, entry->local) ||
 				!sp->dst->is_host(sp->dst, entry->remote))
 			{
 				/* inbound forward policy, from decapsulation */
-				if (!install_sp(this, sp, context,
-								TRUE, TRUE, &sp->policy_fwd_in))
+				if (!install_sp(this, sp, context, TRUE, TRUE,
+								&sp->policy_fwd_in))
 				{
 					enumerator->destroy(enumerator);
 					return FALSE;
 				}
 				/* outbound forward policy, to encapsulate */
-				if (!install_sp(this, sp, context,
-								FALSE, TRUE, &sp->policy_fwd_out))
+				if (!install_sp(this, sp, context, FALSE, TRUE,
+								&sp->policy_fwd_out))
 				{
 					enumerator->destroy(enumerator);
 					return FALSE;
@@ -743,6 +856,38 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this,
 	}
 	enumerator->destroy(enumerator);
 
+	if (context)
+	{
+		/* In tunnel mode, Windows does firewall filtering on decrypted but
+		 * non-unwrapped packets: It sees them as IP-in-IP packets. When using
+		 * a default-drop policy, we need to allow such packets explicitly. */
+		if (has_v4)
+		{
+			if (!install_ipip_ale(this, entry->local, entry->remote, context,
+								  TRUE, IPPROTO_IPIP, &entry->ip_ipv4_in))
+			{
+				return FALSE;
+			}
+			if (!install_ipip_ale(this, entry->local, entry->remote, NULL,
+								  FALSE, IPPROTO_IPIP, &entry->ip_ipv4_out))
+			{
+				return FALSE;
+			}
+		}
+		if (has_v6)
+		{
+			if (!install_ipip_ale(this, entry->local, entry->remote, context,
+								  TRUE, IPPROTO_IPV6, &entry->ip_ipv6_in))
+			{
+				return FALSE;
+			}
+			if (!install_ipip_ale(this, entry->local, entry->remote, NULL,
+								  FALSE, IPPROTO_IPV6, &entry->ip_ipv6_out))
+			{
+				return FALSE;
+			}
+		}
+	}
 	return TRUE;
 }
 
@@ -1583,8 +1728,20 @@ static void WINAPI event_callback(void *user, const FWPM_NET_EVENT1 *event)
 			acquire(this, event->classifyDrop->filterId, local, remote);
 			break;
 		case FWPM_NET_EVENT_TYPE_IKEEXT_MM_FAILURE:
+			DBG1(DBG_KNL, "WFP MM failure: %R === %R, 0x%08x, filterId %llu",
+				 local, remote, event->ikeMmFailure->failureErrorCode,
+				 event->ikeMmFailure->mmFilterId);
+			break;
 		case FWPM_NET_EVENT_TYPE_IKEEXT_QM_FAILURE:
+			DBG1(DBG_KNL, "WFP QM failure: %R === %R, 0x%08x, filterId %llu",
+				 local, remote, event->ikeQmFailure->failureErrorCode,
+				 event->ikeQmFailure->qmFilterId);
+			break;
 		case FWPM_NET_EVENT_TYPE_IKEEXT_EM_FAILURE:
+			DBG1(DBG_KNL, "WFP EM failure: %R === %R, 0x%08x, filterId %llu",
+				 local, remote, event->ikeEmFailure->failureErrorCode,
+				 event->ikeEmFailure->qmFilterId);
+			break;
 		case FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP:
 			DBG1(DBG_KNL, "IPsec kernel drop: %R === %R, error 0x%08x, "
 				 "SPI 0x%08x, %s filterId %llu", local, remote,
@@ -1824,7 +1981,7 @@ static u_int permute(u_int x, u_int p)
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t *spi)
 {
 	/* To avoid sequencial SPIs, we use a one-to-one permuation function on
 	 * an incrementing counter, that is a full period PRNG for the range we
@@ -1841,7 +1998,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
+	u_int16_t *cpi)
 {
 	return NOT_SUPPORTED;
 }
@@ -1875,9 +2032,8 @@ static void expire_data_destroy(expire_data_t *data)
 static job_requeue_t expire_job(expire_data_t *data)
 {
 	private_kernel_wfp_ipsec_t *this = data->this;
-	u_int32_t reqid = 0;
 	u_int8_t protocol;
-	entry_t *entry;
+	entry_t *entry = NULL;
 	sa_entry_t key = {
 		.spi = data->spi,
 		.dst = data->dst,
@@ -1891,7 +2047,6 @@ static job_requeue_t expire_job(expire_data_t *data)
 		if (entry)
 		{
 			protocol = entry->isa.protocol;
-			reqid = entry->reqid;
 			if (entry->osa.dst)
 			{
 				key.dst = entry->osa.dst;
@@ -1908,15 +2063,14 @@ static job_requeue_t expire_job(expire_data_t *data)
 		if (entry)
 		{
 			protocol = entry->isa.protocol;
-			reqid = entry->reqid;
 		}
 		this->mutex->unlock(this->mutex);
 	}
 
-	if (reqid)
+	if (entry)
 	{
-		hydra->kernel_interface->expire(hydra->kernel_interface,
-										reqid, protocol, data->spi, data->hard);
+		hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+										data->spi, data->dst, data->hard);
 	}
 
 	return JOB_REQUEUE_NONE;
@@ -1949,8 +2103,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	bool initiator, bool encap, bool esn, bool inbound, bool update,
+	linked_list_t *src_ts, linked_list_t *dst_ts)
 {
 	host_t *local, *remote;
 	entry_t *entry;
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index db4552dde..7942868f6 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 418dccba5..52dbec53f 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -239,6 +239,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -299,10 +300,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -376,6 +379,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index bc7c0ffbc..8a500635c 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -394,6 +394,28 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 				}
 			}
 		}
+		else if (strpfx(str, "xauth"))
+		{	/* XAuth, use a username */
+			class = AUTH_CLASS_XAUTH;
+			if (*(str + strlen("xauth")) == '-')
+			{
+				auth->add(auth, AUTH_RULE_XAUTH_BACKEND, str + strlen("xauth-"));
+			}
+			if (!id)
+			{
+				if (local && num)
+				{
+					snprintf(buf, sizeof(buf), "cli-%.6d-%.2d", num, rnd);
+					id = identification_create_from_string(buf);
+				}
+				else
+				{
+					id = identification_create_from_encoding(ID_ANY, chunk_empty);
+				}
+			}
+			/* additionally set the ID as XAuth identity */
+			auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id));
+		}
 		else
 		{
 			if (!streq(str, "pubkey"))
@@ -618,7 +640,7 @@ static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
 	enumerator = this->pools->create_enumerator(this->pools);
 	while (enumerator->enumerate(enumerator, &pool))
 	{
-		found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW);
+		found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW, NULL);
 		if (found)
 		{
 			iface = (char*)pool->get_name(pool);
diff --git a/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
index d5ec3599b..e1c7c0e0b 100644
--- a/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
+++ b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
@@ -15,33 +15,38 @@
 
 #include "load_tester_diffie_hellman.h"
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(load_tester_diffie_hellman_t *this,
-								chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+	load_tester_diffie_hellman_t *this, chunk_t *value)
 {
 	*value = chunk_empty;
+	return TRUE;
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(load_tester_diffie_hellman_t *this,
-								  chunk_t *secret)
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+	load_tester_diffie_hellman_t *this, chunk_t value)
+{
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+	load_tester_diffie_hellman_t *this, chunk_t *secret)
 {
 	*secret = chunk_empty;
-	return SUCCESS;
+	return TRUE;
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(load_tester_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	load_tester_diffie_hellman_t *this)
 {
 	return MODP_NULL;
 }
 
+METHOD(diffie_hellman_t, destroy, void,
+	load_tester_diffie_hellman_t *this)
+{
+	free(this);
+}
+
 /**
  * See header
  */
@@ -55,13 +60,15 @@ load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
 		return NULL;
 	}
 
-	this = malloc_thing(load_tester_diffie_hellman_t);
-
-	this->dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *))get_shared_secret;
-	this->dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t ))nop;
-	this->dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *))get_my_public_value;
-	this->dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *))get_dh_group;
-	this->dh.destroy = (void (*)(diffie_hellman_t *))free;
+	INIT(this,
+		.dh = {
+			.get_shared_secret = _get_shared_secret,
+			.set_other_public_value = _set_other_public_value,
+			.get_my_public_value = _get_my_public_value,
+			.get_dh_group = _get_dh_group,
+			.destroy = _destroy,
+		}
+	);
 
 	return this;
 }
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 3f256ddd0..62d43e302 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t {
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t *spi)
 {
 	*spi = (uint32_t)ref_get(&this->spi);
 	return SUCCESS;
@@ -44,7 +44,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
+	u_int16_t *cpi)
 {
 	return FAILED;
 }
@@ -55,8 +55,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	bool initiator, bool encap, bool esn, bool inbound, bool update,
+	linked_list_t *src_ts, linked_list_t *dst_ts)
 {
 	return SUCCESS;
 }
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index f0f2c75f4..264c58ff5 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -235,6 +235,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -295,10 +296,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -372,6 +375,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 3a866e968..76c9012b2 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index e0f70ce44..35740c369 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index adb61e817..8fe160ef3 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index a0c21c442..9a5e438e1 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
index 9a3b2701d..d974b57ce 100644
--- a/src/libcharon/plugins/osx_attr/osx_attr_handler.c
+++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
@@ -169,7 +169,7 @@ static bool manage_dns(int family, chunk_t data, bool add)
 }
 
 METHOD(attribute_handler_t, handle, bool,
-	private_osx_attr_handler_t *this, identification_t *id,
+	private_osx_attr_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	switch (type)
@@ -182,7 +182,7 @@ METHOD(attribute_handler_t, handle, bool,
 }
 
 METHOD(attribute_handler_t, release, void,
-	private_osx_attr_handler_t *this, identification_t *server,
+	private_osx_attr_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	switch (type)
@@ -206,7 +206,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
 }
 
 METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
-	private_osx_attr_handler_t *this, identification_t *id,
+	private_osx_attr_handler_t *this, ike_sa_t *ike_sa,
 	linked_list_t *vips)
 {
 	enumerator_t *enumerator;
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_plugin.c b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
index 380483c23..4be9eda5e 100644
--- a/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
+++ b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
@@ -16,7 +16,6 @@
 #include "osx_attr_plugin.h"
 #include "osx_attr_handler.h"
 
-#include <hydra.h>
 #include <daemon.h>
 
 typedef struct private_osx_attr_plugin_t private_osx_attr_plugin_t;
@@ -51,13 +50,13 @@ static bool plugin_cb(private_osx_attr_plugin_t *this,
 {
 	if (reg)
 	{
-		hydra->attributes->add_handler(hydra->attributes,
-									   &this->handler->handler);
+		charon->attributes->add_handler(charon->attributes,
+										&this->handler->handler);
 	}
 	else
 	{
-		hydra->attributes->remove_handler(hydra->attributes,
-										  &this->handler->handler);
+		charon->attributes->remove_handler(charon->attributes,
+										   &this->handler->handler);
 	}
 	return TRUE;
 }
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 14abba99a..baff3fc76 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libcharon/plugins/resolve/Makefile.am
index 33c3e70fc..9cfc370c0 100644
--- a/src/libhydra/plugins/resolve/Makefile.am
+++ b/src/libcharon/plugins/resolve/Makefile.am
@@ -1,6 +1,7 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
 AM_CFLAGS = \
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
index 5b4c7bc6a..91479bf52 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libhydra/plugins/resolve
+subdir = src/libcharon/plugins/resolve
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -427,6 +432,7 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
 AM_CFLAGS = \
@@ -452,9 +458,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c
index 069466ab5..74c3960ff 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libcharon/plugins/resolve/resolve_handler.c
@@ -185,9 +185,10 @@ static bool invoke_resolvconf(private_resolve_handler_t *this,
 }
 
 METHOD(attribute_handler_t, handle, bool,
-	private_resolve_handler_t *this, identification_t *server,
+	private_resolve_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
+	identification_t *server;
 	host_t *addr;
 	bool handled;
 
@@ -208,6 +209,7 @@ METHOD(attribute_handler_t, handle, bool,
 		DESTROY_IF(addr);
 		return FALSE;
 	}
+	server = ike_sa->get_other_id(ike_sa);
 
 	this->mutex->lock(this->mutex);
 	if (this->use_resolvconf)
@@ -229,9 +231,10 @@ METHOD(attribute_handler_t, handle, bool,
 }
 
 METHOD(attribute_handler_t, release, void,
-	private_resolve_handler_t *this, identification_t *server,
+	private_resolve_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
+	identification_t *server;
 	host_t *addr;
 	int family;
 
@@ -247,6 +250,7 @@ METHOD(attribute_handler_t, release, void,
 			return;
 	}
 	addr = host_create_from_chunk(family, data, 0);
+	server = ike_sa->get_other_id(ike_sa);
 
 	this->mutex->lock(this->mutex);
 	if (this->use_resolvconf)
@@ -319,7 +323,7 @@ static bool has_host_family(linked_list_t *list, int family)
 }
 
 METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
-	private_resolve_handler_t *this, identification_t *server,
+	private_resolve_handler_t *this, ike_sa_t *ike_sa,
 	linked_list_t *vips)
 {
 	attribute_enumerator_t *enumerator;
@@ -374,4 +378,3 @@ resolve_handler_t *resolve_handler_create()
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/resolve/resolve_handler.h b/src/libcharon/plugins/resolve/resolve_handler.h
index 77bf9781c..77bf9781c 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.h
+++ b/src/libcharon/plugins/resolve/resolve_handler.h
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libcharon/plugins/resolve/resolve_plugin.c
index 2fef09a49..193c5b602 100644
--- a/src/libhydra/plugins/resolve/resolve_plugin.c
+++ b/src/libcharon/plugins/resolve/resolve_plugin.c
@@ -16,7 +16,7 @@
 #include "resolve_plugin.h"
 #include "resolve_handler.h"
 
-#include <hydra.h>
+#include <daemon.h>
 
 typedef struct private_resolve_plugin_t private_resolve_plugin_t;
 
@@ -50,13 +50,13 @@ static bool plugin_cb(private_resolve_plugin_t *this,
 {
 	if (reg)
 	{
-		hydra->attributes->add_handler(hydra->attributes,
-									   &this->handler->handler);
+		charon->attributes->add_handler(charon->attributes,
+										&this->handler->handler);
 	}
 	else
 	{
-		hydra->attributes->remove_handler(hydra->attributes,
-										  &this->handler->handler);
+		charon->attributes->remove_handler(charon->attributes,
+										   &this->handler->handler);
 	}
 	return TRUE;
 }
@@ -99,4 +99,3 @@ plugin_t *resolve_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.h b/src/libcharon/plugins/resolve/resolve_plugin.h
index 0148b10d7..0148b10d7 100644
--- a/src/libhydra/plugins/resolve/resolve_plugin.h
+++ b/src/libcharon/plugins/resolve/resolve_plugin.h
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 7c5b030f4..572e7fc2f 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 548524a38..25b40995b 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 9cc39955b..dbfddbb81 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -141,6 +141,11 @@ struct private_socket_default_socket_t {
 	 * TRUE if the source address should be set on outbound packets
 	 */
 	bool set_source;
+
+	/**
+	 * A counter to implement round-robin selection of read sockets
+	 */
+	u_int rr_counter;
 };
 
 METHOD(socket_t, receiver, status_t,
@@ -150,66 +155,43 @@ METHOD(socket_t, receiver, status_t,
 	chunk_t data;
 	packet_t *pkt;
 	host_t *source = NULL, *dest = NULL;
-	int bytes_read = 0;
+	int i, rr, index, bytes_read = 0, selected = -1;
 	bool oldstate;
-
-	fd_set rfds;
-	int max_fd = 0, selected = 0;
 	u_int16_t port = 0;
-
-	FD_ZERO(&rfds);
-
-	if (this->ipv4 != -1)
-	{
-		FD_SET(this->ipv4, &rfds);
-		max_fd = max(max_fd, this->ipv4);
-	}
-	if (this->ipv4_natt != -1)
-	{
-		FD_SET(this->ipv4_natt, &rfds);
-		max_fd = max(max_fd, this->ipv4_natt);
-	}
-	if (this->ipv6 != -1)
-	{
-		FD_SET(this->ipv6, &rfds);
-		max_fd = max(max_fd, this->ipv6);
-	}
-	if (this->ipv6_natt != -1)
-	{
-		FD_SET(this->ipv6_natt, &rfds);
-		max_fd = max(max_fd, this->ipv6_natt);
-	}
+	struct pollfd pfd[] = {
+		{ .fd = this->ipv4,			.events = POLLIN },
+		{ .fd = this->ipv4_natt,	.events = POLLIN },
+		{ .fd = this->ipv6,			.events = POLLIN },
+		{ .fd = this->ipv6_natt,	.events = POLLIN },
+	};
+	int ports[] = {
+		/* port numbers associated to pollfds */
+		this->port, this->natt, this->port, this->natt,
+	};
 
 	DBG2(DBG_NET, "waiting for data on sockets");
 	oldstate = thread_cancelability(TRUE);
-	if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
+	if (poll(pfd, countof(pfd), -1) <= 0)
 	{
 		thread_cancelability(oldstate);
 		return FAILED;
 	}
 	thread_cancelability(oldstate);
 
-	if (this->ipv4 != -1 && FD_ISSET(this->ipv4, &rfds))
+	rr = this->rr_counter++;
+	for (i = 0; i < countof(pfd); i++)
 	{
-		port = this->port;
-		selected = this->ipv4;
-	}
-	if (this->ipv4_natt != -1 && FD_ISSET(this->ipv4_natt, &rfds))
-	{
-		port = this->natt;
-		selected = this->ipv4_natt;
-	}
-	if (this->ipv6 != -1 && FD_ISSET(this->ipv6, &rfds))
-	{
-		port = this->port;
-		selected = this->ipv6;
-	}
-	if (this->ipv6_natt != -1 && FD_ISSET(this->ipv6_natt, &rfds))
-	{
-		port = this->natt;
-		selected = this->ipv6_natt;
+		/* To serve all ports with equal priority, we use a round-robin
+		 * scheme to choose the one to process in this invocation */
+		index = (rr + i) % countof(pfd);
+		if (pfd[index].revents & POLLIN)
+		{
+			selected = pfd[index].fd;
+			port = ports[index];
+			break;
+		}
 	}
-	if (selected)
+	if (selected != -1)
 	{
 		struct msghdr msg;
 		struct cmsghdr *cmsgptr;
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 892549c6c..5c010a59a 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index 88b2ac3f0..0c3bf31b9 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 3c132457b..f74257af2 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index d4680186a..a316f5c25 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/stroke/stroke_attribute.c b/src/libcharon/plugins/stroke/stroke_attribute.c
index 0f3c38986..cd1b4d093 100644
--- a/src/libcharon/plugins/stroke/stroke_attribute.c
+++ b/src/libcharon/plugins/stroke/stroke_attribute.c
@@ -94,7 +94,7 @@ static mem_pool_t *find_pool(private_stroke_attribute_t *this, char *name)
  */
 static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools,
 						 identification_t *id, host_t *requested,
-						 mem_pool_op_t operation)
+						 mem_pool_op_t operation, host_t *peer)
 {
 	host_t *addr = NULL;
 	enumerator_t *enumerator;
@@ -107,7 +107,7 @@ static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools,
 		pool = find_pool(this, name);
 		if (pool)
 		{
-			addr = pool->acquire_address(pool, id, requested, operation);
+			addr = pool->acquire_address(pool, id, requested, operation, peer);
 			if (addr)
 			{
 				break;
@@ -120,20 +120,24 @@ static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools,
 }
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
-	private_stroke_attribute_t *this, linked_list_t *pools, identification_t *id,
+	private_stroke_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
 	host_t *requested)
 {
-	host_t *addr;
+	identification_t *id;
+	host_t *addr, *peer;
+
+	id = ike_sa->get_other_eap_id(ike_sa);
+	peer = ike_sa->get_other_host(ike_sa);
 
 	this->lock->read_lock(this->lock);
 
-	addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING);
+	addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING, peer);
 	if (!addr)
 	{
-		addr = find_addr(this, pools, id, requested, MEM_POOL_NEW);
+		addr = find_addr(this, pools, id, requested, MEM_POOL_NEW, peer);
 		if (!addr)
 		{
-			addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN);
+			addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN, peer);
 		}
 	}
 
@@ -144,13 +148,16 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 
 METHOD(attribute_provider_t, release_address, bool,
 	private_stroke_attribute_t *this, linked_list_t *pools, host_t *address,
-	identification_t *id)
+	ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
+	identification_t *id;
 	mem_pool_t *pool;
 	bool found = FALSE;
 	char *name;
 
+	id = ike_sa->get_other_eap_id(ike_sa);
+
 	enumerator = pools->create_enumerator(pools);
 	this->lock->read_lock(this->lock);
 	while (enumerator->enumerate(enumerator, &name))
@@ -197,9 +204,8 @@ static bool attr_filter(void *lock, host_t **in,
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	private_stroke_attribute_t *this, linked_list_t *pools,
-	identification_t *id, linked_list_t *vips)
+	ike_sa_t *ike_sa, linked_list_t *vips)
 {
-	ike_sa_t *ike_sa;
 	peer_cfg_t *peer_cfg;
 	enumerator_t *enumerator;
 	attributes_t *attr;
@@ -413,4 +419,3 @@ stroke_attribute_t *stroke_attribute_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index f8026875f..b470b81c6 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -120,6 +120,84 @@ static void ca_section_destroy(ca_section_t *this)
 }
 
 /**
+ * Data for the certificate enumerator
+ */
+typedef struct {
+	private_stroke_ca_t *this;
+	certificate_type_t cert;
+	key_type_t key;
+	identification_t *id;
+} cert_data_t;
+
+/**
+ * destroy cert_data
+ */
+static void cert_data_destroy(cert_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(cert_data_t *data, ca_section_t **in,
+						 certificate_t **out)
+{
+	public_key_t *public;
+	certificate_t *cert = (*in)->cert;
+
+	if (data->cert == CERT_ANY || data->cert == cert->get_type(cert))
+	{
+		public = cert->get_public_key(cert);
+		if (public)
+		{
+			if (data->key == KEY_ANY || data->key == public->get_type(public))
+			{
+				if (data->id && public->has_fingerprint(public,
+											data->id->get_encoding(data->id)))
+				{
+					public->destroy(public);
+					*out = cert;
+					return TRUE;
+				}
+			}
+			public->destroy(public);
+		}
+		else if (data->key != KEY_ANY)
+		{
+			return FALSE;
+		}
+		if (data->id == NULL || cert->has_subject(cert, data->id))
+		{
+			*out = cert;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_stroke_ca_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	enumerator_t *enumerator;
+	cert_data_t *data;
+
+	INIT(data,
+		.this = this,
+		.cert = cert,
+		.key = key,
+		.id = id,
+	);
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->sections->create_enumerator(this->sections);
+	return enumerator_create_filter(enumerator, (void*)certs_filter, data,
+									(void*)cert_data_destroy);
+}
+
+/**
  * data to pass to create_inner_cdp
  */
 typedef struct {
@@ -438,7 +516,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
 		.public = {
 			.set = {
 				.create_private_enumerator = (void*)return_null,
-				.create_cert_enumerator = (void*)return_null,
+				.create_cert_enumerator = _create_cert_enumerator,
 				.create_shared_enumerator = (void*)return_null,
 				.create_cdp_enumerator = _create_cdp_enumerator,
 				.cache_cert = (void*)nop,
@@ -456,4 +534,3 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 62967b006..55ec7cdc9 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2014 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -301,7 +301,8 @@ static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
 static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
 {
 	enumerator_t *enumerator;
-	bool rsa = FALSE, ecdsa = FALSE, rsa_len = FALSE, ecdsa_len = FALSE;
+	bool rsa = FALSE, ecdsa = FALSE, bliss = FALSE,
+		 rsa_len = FALSE, ecdsa_len = FALSE, bliss_strength = FALSE;
 	int strength;
 	char *token;
 
@@ -328,9 +329,12 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
 			{ "sha256",		SIGN_ECDSA_256,					KEY_ECDSA,	},
 			{ "sha384",		SIGN_ECDSA_384,					KEY_ECDSA,	},
 			{ "sha512",		SIGN_ECDSA_521,					KEY_ECDSA,	},
+			{ "sha256",		SIGN_BLISS_WITH_SHA256,			KEY_BLISS,	},
+			{ "sha384",		SIGN_BLISS_WITH_SHA384,			KEY_BLISS,	},
+			{ "sha512",		SIGN_BLISS_WITH_SHA512,			KEY_BLISS,	},
 		};
 
-		if (rsa_len || ecdsa_len)
+		if (rsa_len || ecdsa_len || bliss_strength)
 		{	/* expecting a key strength token */
 			strength = atoi(token);
 			if (strength)
@@ -343,8 +347,12 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
 				{
 					cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
 				}
+				else if (bliss_strength)
+				{
+					cfg->add(cfg, AUTH_RULE_BLISS_STRENGTH, (uintptr_t)strength);
+				}
 			}
-			rsa_len = ecdsa_len = FALSE;
+			rsa_len = ecdsa_len = bliss_strength = FALSE;
 			if (strength)
 			{
 				continue;
@@ -360,6 +368,11 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
 			ecdsa = ecdsa_len = TRUE;
 			continue;
 		}
+		if (streq(token, "bliss"))
+		{
+			bliss = bliss_strength = TRUE;
+			continue;
+		}
 		if (streq(token, "pubkey"))
 		{
 			continue;
@@ -376,7 +389,8 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
 				 */
 				if ((rsa && schemes[i].key == KEY_RSA) ||
 					(ecdsa && schemes[i].key == KEY_ECDSA) ||
-					(!rsa && !ecdsa))
+					(bliss && schemes[i].key == KEY_BLISS) ||
+					(!rsa && !ecdsa && !bliss))
 				{
 					cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME,
 							 (uintptr_t)schemes[i].scheme);
@@ -590,7 +604,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	/* authentication metod (class, actually) */
 	if (strpfx(auth, "pubkey") ||
 		strpfx(auth, "rsa") ||
-		strpfx(auth, "ecdsa"))
+		strpfx(auth, "ecdsa") ||
+		strpfx(auth, "bliss"))
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
@@ -620,9 +635,16 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	else if (strpfx(auth, "eap"))
 	{
 		eap_vendor_type_t *type;
+		char *pos;
 
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-
+		/* check for public key constraints for EAP-TLS etc. */
+		pos = strchr(auth, ':');
+		if (pos)
+		{
+			*pos = 0;
+			parse_pubkey_constraints(pos + 1, cfg);
+		}
 		type = eap_vendor_type_from_string(auth);
 		if (type)
 		{
@@ -667,6 +689,24 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 }
 
 /**
+ * build a mem_pool_t from an address range
+ */
+static mem_pool_t *create_pool_range(char *str)
+{
+	mem_pool_t *pool;
+	host_t *from, *to;
+
+	if (!host_create_from_range(str, &from, &to))
+	{
+		return NULL;
+	}
+	pool = mem_pool_create_range(str, from, to);
+	from->destroy(from);
+	to->destroy(to);
+	return pool;
+}
+
+/**
  * build a peer_cfg from a stroke msg
  */
 static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
@@ -789,17 +829,25 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 			}
 			else
 			{
-				/* in-memory pool, named using CIDR notation */
+				/* in-memory pool, using range or CIDR notation */
+				mem_pool_t *pool;
 				host_t *base;
 				int bits;
 
-				base = host_create_from_subnet(token, &bits);
-				if (base)
+				pool = create_pool_range(token);
+				if (!pool)
+				{
+					base = host_create_from_subnet(token, &bits);
+					if (base)
+					{
+						pool = mem_pool_create(token, base, bits);
+						base->destroy(base);
+					}
+				}
+				if (pool)
 				{
-					this->attributes->add_pool(this->attributes,
-										mem_pool_create(token, base, bits));
+					this->attributes->add_pool(this->attributes, pool);
 					peer_cfg->add_pool(peer_cfg, token);
-					base->destroy(base);
 				}
 				else
 				{
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index f770d7c9e..0084fbf93 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -352,7 +352,7 @@ METHOD(stroke_control_t, terminate, void,
 				if (streq(name, child_sa->get_name(child_sa)))
 				{
 					child_list->insert_last(child_list,
-							(void*)(uintptr_t)child_sa->get_reqid(child_sa));
+							(void*)(uintptr_t)child_sa->get_unique_id(child_sa));
 					if (!all)
 					{
 						break;
@@ -432,13 +432,13 @@ METHOD(stroke_control_t, rekey, void,
 			while (children->enumerate(children, (void**)&child_sa))
 			{
 				if ((name && streq(name, child_sa->get_name(child_sa))) ||
-					(id && id == child_sa->get_reqid(child_sa)))
+					(id && id == child_sa->get_unique_id(child_sa)))
 				{
 					lib->processor->queue_job(lib->processor,
 						(job_t*)rekey_child_sa_job_create(
-								child_sa->get_reqid(child_sa),
 								child_sa->get_protocol(child_sa),
-								child_sa->get_spi(child_sa, TRUE)));
+								child_sa->get_spi(child_sa, TRUE),
+								ike_sa->get_my_host(ike_sa)));
 					if (!all)
 					{
 						finished = TRUE;
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 83431d17c..5e423f1de 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -70,11 +70,21 @@ struct private_stroke_cred_t {
 	char *secrets_file;
 
 	/**
-	 * credentials
+	 * credentials: end entity certs, attribute certs, CRLs, etc.
 	 */
 	mem_cred_t *creds;
 
 	/**
+	 * CA certificates
+	 */
+	mem_cred_t *cacerts;
+
+	/**
+	 * Attribute Authority certificates
+	 */
+	mem_cred_t *aacerts;
+
+	/**
 	 * ignore missing CA basic constraint (i.e. treat all certificates in
 	 * ipsec.conf ca sections and ipsec.d/cacerts as CA certificates)
 	 */
@@ -231,7 +241,7 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 		}
 		DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
 			 cert->get_subject(cert), filename);
-		return this->creds->add_cert_ref(this->creds, TRUE, cert);
+		return this->creds->get_cert_ref(this->creds, cert);
 	}
 	return NULL;
 }
@@ -374,133 +384,183 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 }
 
 /**
- * load trusted certificates from a directory
+ * Load a CA certificate  from disk
  */
-static void load_certdir(private_stroke_cred_t *this, char *path,
-						 certificate_type_t type, x509_flag_t flag)
+static void load_x509_ca(private_stroke_cred_t *this, char *file)
 {
-	struct stat st;
-	char *file;
-
-	enumerator_t *enumerator = enumerator_create_directory(path);
+	certificate_t *cert;
 
-	if (!enumerator)
+	if (this->force_ca_cert)
+	{	/* treat certificate as CA cert even it has no CA basic constraint */
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, file,
+								  BUILD_X509_FLAG, X509_CA, BUILD_END);
+	}
+	else
 	{
-		DBG1(DBG_CFG, "  reading directory failed");
-		return;
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, file, BUILD_END);
 	}
-
-	while (enumerator->enumerate(enumerator, NULL, &file, &st))
+	if (cert)
 	{
-		certificate_t *cert;
+		x509_t *x509 = (x509_t*)cert;
 
-		if (!S_ISREG(st.st_mode))
+		if (!(x509->get_flags(x509) & X509_CA))
 		{
-			/* skip special file */
-			continue;
+			DBG1(DBG_CFG, "  ca certificate \"%Y\" lacks ca basic constraint, "
+				 "discarded", cert->get_subject(cert));
+			cert->destroy(cert);
 		}
-		switch (type)
+		else
 		{
-			case CERT_X509:
-				if (flag & X509_CA)
-				{
-					if (this->force_ca_cert)
-					{	/* treat this certificate as CA cert even it has no
-						 * CA basic constraint */
-						cert = lib->creds->create(lib->creds,
-										CRED_CERTIFICATE, CERT_X509,
-										BUILD_FROM_FILE, file, BUILD_X509_FLAG,
-										X509_CA, BUILD_END);
-					}
-					else
-					{
-						cert = lib->creds->create(lib->creds,
-										CRED_CERTIFICATE, CERT_X509,
-										BUILD_FROM_FILE, file, BUILD_END);
-					}
-					if (cert)
-					{
-						x509_t *x509 = (x509_t*)cert;
-
-						if (!(x509->get_flags(x509) & X509_CA))
-						{
-							DBG1(DBG_CFG, "  ca certificate \"%Y\" lacks "
-								 "ca basic constraint, discarded",
-								 cert->get_subject(cert));
-							cert->destroy(cert);
-							cert = NULL;
-						}
-						else
-						{
-							DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" "
-								 "from '%s'", cert->get_subject(cert), file);
-						}
-					}
-					else
+			DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
+				 cert->get_subject(cert), file);
+			this->cacerts->add_cert(this->cacerts, TRUE, cert);
+		}
+	}
+	else
+	{
+		DBG1(DBG_CFG, "  loading ca certificate from '%s' failed", file);
+	}
+}
+
+/**
+ * Load AA certificate with flags from disk
+ */
+static void load_x509_aa(private_stroke_cred_t *this, char *file)
+{
+	certificate_t *cert;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, file,
+							  BUILD_X509_FLAG, X509_AA, BUILD_END);
+	if (cert)
+	{
+		DBG1(DBG_CFG, "  loaded AA certificate \"%Y\" from '%s'",
+			 cert->get_subject(cert), file);
+		this->aacerts->add_cert(this->aacerts, TRUE, cert);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "  loading AA certificate from '%s' failed", file);
+	}
+}
+
+/**
+ * Load a certificate with flags from disk
+ */
+static void load_x509(private_stroke_cred_t *this, char *file, x509_flag_t flag)
+{
+	certificate_t *cert;
+
+	/* for all other flags, we add them to the certificate. */
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, file,
+							  BUILD_X509_FLAG, flag, BUILD_END);
+	if (cert)
+	{
+		DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
+			 cert->get_subject(cert), file);
+		this->creds->add_cert(this->creds, TRUE, cert);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "  loading certificate from '%s' failed", file);
+	}
+}
+
+/**
+ * Load a CRL from a file
+ */
+static void load_x509_crl(private_stroke_cred_t *this, char *file)
+{
+	certificate_t *cert;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+							  BUILD_FROM_FILE, file, BUILD_END);
+	if (cert)
+	{
+		this->creds->add_crl(this->creds, (crl_t*)cert);
+		DBG1(DBG_CFG, "  loaded crl from '%s'",  file);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "  loading crl from '%s' failed", file);
+	}
+}
+
+/**
+ * Load an attribute certificate from a file
+ */
+static void load_x509_ac(private_stroke_cred_t *this, char *file)
+{
+	certificate_t *cert;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+							  BUILD_FROM_FILE, file, BUILD_END);
+	if (cert)
+	{
+		DBG1(DBG_CFG, "  loaded attribute certificate from '%s'", file);
+		this->creds->add_cert(this->creds, FALSE, cert);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "  loading attribute certificate from '%s' failed", file);
+	}
+}
+
+/**
+ * load trusted certificates from a directory
+ */
+static void load_certdir(private_stroke_cred_t *this, char *path,
+						 certificate_type_t type, x509_flag_t flag)
+{
+	enumerator_t *enumerator;
+	struct stat st;
+	char *file;
+
+	enumerator = enumerator_create_directory(path);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, NULL, &file, &st))
+		{
+			if (!S_ISREG(st.st_mode))
+			{
+				/* skip special file */
+				continue;
+			}
+			switch (type)
+			{
+				case CERT_X509:
+					if (flag & X509_CA)
 					{
-						DBG1(DBG_CFG, "  loading ca certificate from '%s' "
-									  "failed", file);
+						load_x509_ca(this, file);
 					}
-				}
-				else
-				{	/* for all other flags, we add them to the certificate. */
-					cert = lib->creds->create(lib->creds,
-										CRED_CERTIFICATE, CERT_X509,
-										BUILD_FROM_FILE, file,
-										BUILD_X509_FLAG, flag, BUILD_END);
-					if (cert)
+					else if (flag & X509_AA)
 					{
-						DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
-									  cert->get_subject(cert), file);
+						load_x509_aa(this, file);
 					}
 					else
 					{
-						DBG1(DBG_CFG, "  loading certificate from '%s' "
-									  "failed", file);
+						load_x509(this, file, flag);
 					}
-				}
-				if (cert)
-				{
-					this->creds->add_cert(this->creds, TRUE, cert);
-				}
-				break;
-			case CERT_X509_CRL:
-				cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509_CRL,
-										  BUILD_FROM_FILE, file,
-										  BUILD_END);
-				if (cert)
-				{
-					this->creds->add_crl(this->creds, (crl_t*)cert);
-					DBG1(DBG_CFG, "  loaded crl from '%s'",  file);
-				}
-				else
-				{
-					DBG1(DBG_CFG, "  loading crl from '%s' failed", file);
-				}
-				break;
-			case CERT_X509_AC:
-				cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509_AC,
-										  BUILD_FROM_FILE, file,
-										  BUILD_END);
-				if (cert)
-				{
-					this->creds->add_cert(this->creds, FALSE, cert);
-					DBG1(DBG_CFG, "  loaded attribute certificate from '%s'",
-								  file);
-				}
-				else
-				{
-					DBG1(DBG_CFG, "  loading attribute certificate from '%s' "
-								  "failed", file);
-				}
-				break;
-			default:
-				break;
+					break;
+				case CERT_X509_CRL:
+					load_x509_crl(this, file);
+					break;
+				case CERT_X509_AC:
+					load_x509_ac(this, file);
+					break;
+				default:
+					break;
+			}
 		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "  reading directory failed");
 	}
-	enumerator->destroy(enumerator);
 }
 
 METHOD(stroke_cred_t, cache_cert, void,
@@ -1124,6 +1184,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 	while (fetchline(src, &line))
 	{
 		chunk_t ids, token;
+		key_type_t key_type;
 		shared_key_type_t type;
 
 		line_nr++;
@@ -1222,10 +1283,22 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			DBG1(DBG_CFG, "line %d: missing token", line_nr);
 			break;
 		}
-		if (match("RSA", &token) || match("ECDSA", &token))
+		if (match("RSA", &token) || match("ECDSA", &token) ||
+			match("BLISS", &token))
 		{
-			if (!load_private(secrets, line, line_nr, prompt,
-							  match("RSA", &token) ? KEY_RSA : KEY_ECDSA))
+			if (match("RSA", &token))
+			{
+				key_type = KEY_RSA;
+			}
+			else if (match("ECDSA", &token))
+			{
+				key_type = KEY_ECDSA;
+			}
+			else
+			{
+				key_type = KEY_BLISS;
+			}
+			if (!load_private(secrets, line, line_nr, prompt, key_type))
 			{
 				break;
 			}
@@ -1256,8 +1329,8 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 		}
 		else
 		{
-			DBG1(DBG_CFG, "line %d: token must be either "
-				 "RSA, ECDSA, P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
+			DBG1(DBG_CFG, "line %d: token must be either RSA, ECDSA, BLISS, "
+						  "P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
 			break;
 		}
 	}
@@ -1308,6 +1381,8 @@ METHOD(stroke_cred_t, reread, void,
 	{
 		DBG1(DBG_CFG, "rereading ca certificates from '%s'",
 			 CA_CERTIFICATE_DIR);
+		this->cacerts->clear(this->cacerts);
+		lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
 		load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA);
 	}
 	if (msg->reread.flags & REREAD_OCSPCERTS)
@@ -1321,6 +1396,8 @@ METHOD(stroke_cred_t, reread, void,
 	{
 		DBG1(DBG_CFG, "rereading aa certificates from '%s'",
 			 AA_CERTIFICATE_DIR);
+		this->aacerts->clear(this->aacerts);
+		lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
 		load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA);
 	}
 	if (msg->reread.flags & REREAD_ACERTS)
@@ -1346,7 +1423,11 @@ METHOD(stroke_cred_t, add_shared, void,
 METHOD(stroke_cred_t, destroy, void,
 	private_stroke_cred_t *this)
 {
+	lib->credmgr->remove_set(lib->credmgr, &this->aacerts->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->cacerts->set);
 	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	this->aacerts->destroy(this->aacerts);
+	this->cacerts->destroy(this->cacerts);
 	this->creds->destroy(this->creds);
 	free(this);
 }
@@ -1379,9 +1460,13 @@ stroke_cred_t *stroke_cred_create()
 								"%s.plugins.stroke.secrets_file", SECRETS_FILE,
 								lib->ns),
 		.creds = mem_cred_create(),
+		.cacerts = mem_cred_create(),
+		.aacerts = mem_cred_create(),
 	);
 
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->cacerts->set);
+	lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
 
 	this->force_ca_cert = lib->settings->get_bool(lib->settings,
 						"%s.plugins.stroke.ignore_missing_ca_basic_constraint",
diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h
index f6fbb96d3..9434629ef 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.h
+++ b/src/libcharon/plugins/stroke/stroke_cred.h
@@ -50,10 +50,13 @@ struct stroke_cred_t {
 	void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt);
 
 	/**
-	 * Load a CA certificate, and serve it through the credential_set.
+	 * Load a CA certificate.
+	 *
+	 * This method does not add the loaded CA certificate to the internal
+	 * credentail set, but returns it only.
 	 *
 	 * @param filename		file to load CA cert from
-	 * @return				reference to loaded certificate, or NULL
+	 * @return				loaded certificate, or NULL
 	 */
 	certificate_t* (*load_ca)(stroke_cred_t *this, char *filename);
 
diff --git a/src/libcharon/plugins/stroke/stroke_handler.c b/src/libcharon/plugins/stroke/stroke_handler.c
index fef8cab67..d0cc9afab 100644
--- a/src/libcharon/plugins/stroke/stroke_handler.c
+++ b/src/libcharon/plugins/stroke/stroke_handler.c
@@ -94,10 +94,9 @@ static bool attr_filter(void *lock, host_t **in,
 }
 
 METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
-	private_stroke_handler_t *this, identification_t *server,
+	private_stroke_handler_t *this, ike_sa_t *ike_sa,
 	linked_list_t *vips)
 {
-	ike_sa_t *ike_sa;
 	peer_cfg_t *peer_cfg;
 	enumerator_t *enumerator;
 	attributes_t *attr;
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 1aa49ce0d..68b8232bc 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -214,11 +214,12 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 	config = child_sa->get_config(child_sa);
 	now = time_monotonic(NULL);
 
-	fprintf(out, "%12s{%d}:  %N, %N%s",
-			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+	fprintf(out, "%12s{%d}:  %N, %N%s, reqid %u",
+			child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
 			child_sa_state_names, child_sa->get_state(child_sa),
 			ipsec_mode_names, child_sa->get_mode(child_sa),
-			config->use_proxy_mode(config) ? "_PROXY" : "");
+			config->use_proxy_mode(config) ? "_PROXY" : "",
+			child_sa->get_reqid(child_sa));
 
 	if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
 	{
@@ -238,7 +239,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 		if (all)
 		{
 			fprintf(out, "\n%12s{%d}:  ", child_sa->get_name(child_sa),
-					child_sa->get_reqid(child_sa));
+					child_sa->get_unique_id(child_sa));
 
 			proposal = child_sa->get_proposal(child_sa);
 			if (proposal)
@@ -322,7 +323,8 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 
 		}
 	}
-	else if (child_sa->get_state(child_sa) == CHILD_REKEYING)
+	else if (child_sa->get_state(child_sa) == CHILD_REKEYING ||
+			 child_sa->get_state(child_sa) == CHILD_REKEYED)
 	{
 		rekey = child_sa->get_lifetime(child_sa, TRUE);
 		fprintf(out, ", expires in %V", &now, &rekey);
@@ -333,7 +335,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 	other_ts = linked_list_create_from_enumerator(
 							child_sa->create_ts_enumerator(child_sa, FALSE));
 	fprintf(out, "\n%12s{%d}:   %#R=== %#R\n",
-			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
 			my_ts, other_ts);
 	my_ts->destroy(my_ts);
 	other_ts->destroy(other_ts);
@@ -496,7 +498,7 @@ METHOD(stroke_list_t, status, void,
 		{
 			struct mallinfo mi = mallinfo();
 
-			fprintf(out, "  malloc: sbrk %d, mmap %d, used %d, free %d\n",
+			fprintf(out, "  malloc: sbrk %u, mmap %u, used %u, free %u\n",
 				    mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks);
 		}
 #endif /* HAVE_MALLINFO */
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 31df1f99b..f64b99f08 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -69,6 +69,7 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
 				PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
 				PLUGIN_SDEPEND(PRIVKEY, KEY_DSA),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_BLISS),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 54dd56e91..db7e66f14 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -24,7 +24,6 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include "stroke_config.h"
@@ -747,8 +746,10 @@ METHOD(stroke_socket_t, destroy, void,
 	lib->credmgr->remove_set(lib->credmgr, &this->ca->set);
 	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
-	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	charon->attributes->remove_provider(charon->attributes,
+										&this->attribute->provider);
+	charon->attributes->remove_handler(charon->attributes,
+									   &this->handler->handler);
 	charon->bus->remove_listener(charon->bus, &this->counter->listener);
 	this->cred->destroy(this->cred);
 	this->ca->destroy(this->ca);
@@ -790,8 +791,10 @@ stroke_socket_t *stroke_socket_create()
 	lib->credmgr->add_set(lib->credmgr, &this->ca->set);
 	lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
-	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+	charon->attributes->add_provider(charon->attributes,
+									 &this->attribute->provider);
+	charon->attributes->add_handler(charon->attributes,
+									&this->handler->handler);
 	charon->bus->add_listener(charon->bus, &this->counter->listener);
 
 	max_concurrent = lib->settings->get_int(lib->settings,
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 0e477f9f3..be148b6c3 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 3f2952c4b..17cc341c5 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 97c479632..ef05275b7 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -233,6 +233,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -293,10 +294,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -370,6 +373,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 109c216d5..91456f8da 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2013 Andreas Steffen
+ * Copyright (C) 2012-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -646,8 +646,8 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even
 	int pt_tls_fd;
 	struct sockaddr_storage addr;
 	socklen_t addrlen = sizeof(addr);
-	identification_t *peer;
-	host_t *host;
+	identification_t *client_id;
+	host_t *server_ip, *client_ip;
 	pt_tls_server_t *pt_tls;
 	tnccs_t *tnccs;
 	pt_tls_auth_t auth = PT_TLS_AUTH_TLS_OR_SASL;
@@ -658,17 +658,22 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even
 		DBG1(DBG_TNC, "accepting PT-TLS stream failed: %s", strerror(errno));
 		return FALSE;
 	}
-	host = host_create_from_sockaddr((sockaddr_t*)&addr);
-	DBG1(DBG_TNC, "accepting PT-TLS stream from %H", host);
-	host->destroy(host);
+	client_ip = host_create_from_sockaddr((sockaddr_t*)&addr);
+	DBG1(DBG_TNC, "accepting PT-TLS stream from %H", client_ip);
+
+	/* Currently we do not determine the IP address of the server interface */
+	server_ip = host_create_any(client_ip->get_family(client_ip));
 
-	/* At this moment the peer identity is not known yet */
-	peer = identification_create_from_encoding(ID_ANY, chunk_empty),
+	/* At this moment the client identity is not known yet */
+	client_id = identification_create_from_encoding(ID_ANY, chunk_empty),
 
 	tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE,
-										this->server, peer, TNC_IFT_TLS_2_0,
+										this->server, client_id, server_ip,
+										client_ip, TNC_IFT_TLS_2_0,
 										(tnccs_cb_t)get_recommendation);
-	peer->destroy(peer);
+	client_id->destroy(client_id);
+	server_ip->destroy(server_ip);
+	client_ip->destroy(client_ip);
 
 	if (!tnccs)
 	{
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 5e16c3c35..2c031383a 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am
deleted file mode 100644
index b7f8fc319..000000000
--- a/src/libcharon/plugins/unit_tester/Makefile.am
+++ /dev/null
@@ -1,26 +0,0 @@
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
-	$(PLUGIN_CFLAGS)
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-unit-tester.la
-else
-plugin_LTLIBRARIES = libstrongswan-unit-tester.la
-endif
-
-libstrongswan_unit_tester_la_SOURCES = \
-	unit_tester.c unit_tester.h tests.h \
-	tests/test_auth_info.c \
-	tests/test_curl.c \
-	tests/test_mysql.c \
-	tests/test_sqlite.c \
-	tests/test_cert.c \
-	tests/test_med_db.c \
-	tests/test_pool.c \
-	tests/test_agent.c
-
-libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/unit_tester/tests/test_agent.c b/src/libcharon/plugins/unit_tester/tests/test_agent.c
deleted file mode 100644
index baab629be..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_agent.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * SSH agent signature creation and verification
- ******************************************************************************/
-bool test_agent()
-{
-	char *path;
-	chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	private_key_t *private;
-	public_key_t *public;
-
-	path = getenv("SSH_AUTH_SOCK");
-	if (!path)
-	{
-		DBG1(DBG_CFG, "ssh-agent not found.");
-		return FALSE;
-	}
-
-	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-								 BUILD_AGENT_SOCKET, path, BUILD_END);
-	if (!private)
-	{
-		return FALSE;
-	}
-	if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
-	{
-		return FALSE;
-	}
-	public = private->get_public_key(private);
-	if (!public)
-	{
-		return FALSE;;
-	}
-	if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-	{
-		return FALSE;
-	}
-	free(sig.ptr);
-	data.ptr[1] = 0x01; /* fake it */
-	if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-	{
-		return FALSE;
-	}
-
-	private->destroy(private);
-	public->destroy(public);
-
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
deleted file mode 100644
index c250c356f..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <library.h>
-#include <credentials/auth_cfg.h>
-
-
-static chunk_t certchunk = chunk_from_chars(
-	0x30,0x82,0x02,0xfa,0x30,0x82,0x01,0xe2,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x5a,
-	0xf2,0x65,0xae,0x78,0xff,0x23,0xde,0xf7,0xa6,0xa3,0x94,0x8c,0x3f,0xa0,0xc1,0x30,
-	0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x39,
-	0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,
-	0x17,0x06,0x03,0x55,0x04,0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,
-	0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,
-	0x03,0x13,0x06,0x6d,0x61,0x72,0x74,0x69,0x6e,0x30,0x1e,0x17,0x0d,0x30,0x37,0x30,
-	0x34,0x32,0x37,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x17,0x0d,0x31,0x32,0x30,0x34,
-	0x32,0x35,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x30,0x39,0x31,0x0b,0x30,0x09,0x06,
-	0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,
-	0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,
-	0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x6d,0x61,
-	0x72,0x74,0x69,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
-	0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,
-	0x02,0x82,0x01,0x01,0x00,0xd7,0xb9,0xba,0x4d,0xe2,0x3b,0x3d,0x35,0x7a,0x3f,0x88,
-	0x67,0x95,0xe7,0xfd,0x9f,0xe9,0x0a,0x0d,0x79,0x3a,0x9e,0x21,0x8f,0xcb,0xe4,0x67,
-	0x24,0xae,0x0c,0xda,0xb3,0xcc,0xec,0x36,0xb4,0xa8,0x4d,0xf1,0x3d,0xad,0xe4,0x8c,
-	0x63,0x92,0x54,0xb7,0xb2,0x02,0xa2,0x00,0x62,0x8b,0x04,0xac,0xa0,0x17,0xad,0x17,
-	0x9a,0x05,0x0d,0xd7,0xb3,0x08,0x02,0xc5,0x26,0xcf,0xdd,0x05,0x42,0xfc,0x13,0x6d,
-	0x9f,0xb1,0xf3,0x4f,0x82,0x1d,0xef,0x01,0xc9,0x91,0xea,0x37,0x1b,0x79,0x28,0xfa,
-	0xbf,0x9f,0xb3,0xeb,0x82,0x4f,0x10,0xc6,0x4b,0xa4,0x08,0xf7,0x8e,0xf2,0x00,0xea,
-	0x04,0x97,0x80,0x9f,0x65,0x86,0xde,0x6b,0xc7,0xda,0x83,0xfc,0xad,0x4a,0xaf,0x52,
-	0x8b,0x4d,0x33,0xee,0x49,0x87,0x2f,0x3b,0x60,0x45,0x66,0x8f,0xe6,0x89,0xcc,0xb1,
-	0x92,0x02,0x17,0x2b,0x7b,0x8e,0x90,0x47,0x84,0x84,0x59,0x95,0x81,0xd8,0xe0,0xf3,
-	0x87,0xe0,0x04,0x09,0xfd,0xcc,0x3a,0x21,0x34,0xfa,0xec,0xbe,0xf5,0x9c,0xcf,0x55,
-	0x80,0x7b,0xe3,0x75,0x9d,0x36,0x68,0xab,0x83,0xe3,0xad,0x01,0x53,0x0d,0x8a,0x9a,
-	0xa6,0xb0,0x15,0xc9,0xc5,0xf8,0x9b,0x51,0x32,0xcf,0x97,0x6c,0xfe,0x4a,0x56,0x3c,
-	0xc8,0x8f,0x4a,0x70,0x23,0x4f,0xf6,0xf7,0xe6,0x9f,0x09,0xcd,0x8f,0xea,0x20,0x7d,
-	0x34,0xc0,0xc5,0xc0,0x34,0x06,0x6f,0x8b,0xeb,0x04,0x54,0x3f,0x0e,0xcd,0xe2,0x85,
-	0xab,0x94,0x3e,0x91,0x6c,0x18,0x6f,0x96,0x5d,0xf2,0x8b,0x10,0xe9,0x90,0x43,0xb0,
-	0x61,0x52,0xac,0xcf,0x75,0x02,0x03,0x01,0x00,0x01,0x30,0x0d,0x06,0x09,0x2a,0x86,
-	0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0x63,
-	0x42,0xad,0xe5,0xa3,0xf6,0xc9,0x5d,0x08,0xf2,0x78,0x7b,0xeb,0x8a,0xef,0x50,0x00,
-	0xc8,0xeb,0xe9,0x26,0x94,0xcb,0x84,0x10,0x7e,0x42,0x6b,0x86,0x38,0x57,0xa6,0x02,
-	0x98,0x5a,0x2c,0x8f,0x44,0x32,0x1b,0x97,0x8c,0x7e,0x4b,0xd8,0xe8,0xe8,0x0f,0x4a,
-	0xb9,0x31,0x9f,0xf6,0x9f,0x0e,0x67,0x26,0x05,0x2a,0x99,0x14,0x35,0x41,0x47,0x9a,
-	0xfa,0x12,0x94,0x0b,0xe9,0x27,0x7c,0x71,0x20,0xd7,0x8d,0x3b,0x97,0x19,0x2d,0x15,
-	0xff,0xa4,0xf3,0x89,0x8d,0x29,0x5f,0xf6,0x3f,0x93,0xaf,0x78,0x61,0xe4,0xe1,0x2e,
-	0x75,0xc1,0x2c,0xc4,0x76,0x95,0x19,0xf8,0x37,0xdc,0xd8,0x00,0x7a,0x3c,0x0f,0x49,
-	0x2e,0x88,0x09,0x16,0xb3,0x92,0x33,0xdf,0x77,0x83,0x4f,0xb5,0x9e,0x30,0x8c,0x48,
-	0x1d,0xd8,0x84,0xfb,0xf1,0xb9,0xa0,0xbe,0x25,0xff,0x4c,0xeb,0xef,0x2b,0xcd,0xfa,
-	0x0b,0x94,0x66,0x3b,0x28,0x08,0x3f,0x3a,0xda,0x41,0xd0,0x6b,0xab,0x5e,0xbb,0x8a,
-	0x9f,0xdc,0x98,0x3e,0x59,0x37,0x48,0xbe,0x69,0xde,0x85,0x82,0xf2,0x53,0x8b,0xe4,
-	0x44,0xe4,0x71,0x91,0x14,0x85,0x0e,0x1e,0x79,0xdd,0x62,0xf5,0xdc,0x25,0x89,0xab,
-	0x50,0x5b,0xaa,0xae,0xe3,0x64,0x6a,0x23,0x34,0xd7,0x30,0xe2,0x2a,0xc8,0x81,0x0c,
-	0xec,0xd2,0x31,0xc6,0x1e,0xb6,0xc0,0x57,0xd9,0xe1,0x14,0x06,0x9b,0xf8,0x51,0x69,
-	0x47,0xf0,0x9c,0xcd,0x69,0xef,0x8e,0x5f,0x62,0xda,0x10,0xf7,0x3c,0x6d,0x0f,0x33,
-	0xec,0x6f,0xfd,0x94,0x07,0x16,0x41,0x32,0x06,0xa4,0xe1,0x08,0x31,0x87,
-);
-
-/*******************************************************************************
- * auth info test
- ******************************************************************************/
-bool test_auth_cfg()
-{
-	auth_cfg_t *auth = auth_cfg_create(), *auth2;
-	certificate_t *c1, *c2;
-	enumerator_t *enumerator;
-	int round = 0;
-	void *value;
-	auth_rule_t type;
-
-	c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							BUILD_BLOB_ASN1_DER, certchunk,
-							BUILD_END);
-	if (!c1)
-	{
-		return FALSE;
-	}
-
-	auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1));
-	c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-	if (!c2)
-	{
-		return FALSE;
-	}
-	if (!c1->equals(c1, c2))
-	{
-		return FALSE;
-	}
-
-	enumerator = auth->create_enumerator(auth);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		round++;
-		if (round == 1 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
-		{
-			continue;
-		}
-		return FALSE;
-	}
-	enumerator->destroy(enumerator);
-
-	auth2 = auth_cfg_create();
-	auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1));
-	auth2->merge(auth2, auth, FALSE);
-
-	round = 0;
-	enumerator = auth2->create_enumerator(auth2);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		round++;
-		if (round == 1 && type == AUTH_RULE_CA_CERT && value == c1)
-		{
-			continue;
-		}
-		if (round == 2 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
-		{
-			continue;
-		}
-		return FALSE;
-	}
-	enumerator->destroy(enumerator);
-	auth->destroy(auth);
-	auth2->destroy(auth2);
-	c1->destroy(c1);
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c
deleted file mode 100644
index f4410a688..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_cert.c
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <credentials/certificates/x509.h>
-
-/*******************************************************************************
- * X509 certificate generation and parsing
- ******************************************************************************/
-bool test_cert_x509()
-{
-	private_key_t *ca_key, *peer_key;
-	public_key_t *public;
-	certificate_t *ca_cert, *peer_cert, *parsed;
-	identification_t *issuer, *subject;
-	u_int32_t serial = htonl(0);
-	chunk_t encoding;
-
-	issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan");
-	subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan");
-
-	ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-						BUILD_KEY_SIZE, 1024, BUILD_END);
-	peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-						BUILD_KEY_SIZE, 1024, BUILD_END);
-	if (!ca_key)
-	{
-		return FALSE;
-	}
-	ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_SIGNING_KEY, ca_key,
-						BUILD_SUBJECT, issuer,
-						BUILD_SERIAL, chunk_from_thing(serial),
-						BUILD_X509_FLAG, X509_CA,
-						BUILD_END);
-	if (!ca_cert)
-	{
-		return FALSE;
-	}
-
-	ca_cert->get_encoding(ca_cert, CERT_ASN1_DER, &encoding);
-	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_BLOB_ASN1_DER, encoding,
-						BUILD_END);
-	chunk_free(&encoding);
-	if (!parsed)
-	{
-		return FALSE;
-	}
-	if (!parsed->issued_by(parsed, ca_cert, NULL))
-	{
-		return FALSE;
-	}
-	parsed->destroy(parsed);
-
-	serial = htonl(ntohl(serial) + 1);
-	public = peer_key->get_public_key(peer_key);
-	peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_SIGNING_KEY, ca_key,
-						BUILD_SIGNING_CERT, ca_cert,
-						BUILD_PUBLIC_KEY, public,
-						BUILD_SUBJECT, subject,
-						BUILD_SERIAL, chunk_from_thing(serial),
-						BUILD_END);
-	public->destroy(public);
-	if (!peer_cert)
-	{
-		return FALSE;
-	}
-
-	peer_cert->get_encoding(peer_cert, CERT_ASN1_DER, &encoding);
-	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_BLOB_ASN1_DER, encoding,
-						BUILD_END);
-	chunk_free(&encoding);
-	if (!parsed)
-	{
-		return FALSE;
-	}
-	if (!parsed->issued_by(parsed, ca_cert, NULL))
-	{
-		return FALSE;
-	}
-	parsed->destroy(parsed);
-
-	ca_cert->destroy(ca_cert);
-	ca_key->destroy(ca_key);
-	peer_cert->destroy(peer_cert);
-	peer_key->destroy(peer_key);
-	issuer->destroy(issuer);
-	subject->destroy(subject);
-	return TRUE;
-}
-
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_curl.c b/src/libcharon/plugins/unit_tester/tests/test_curl.c
deleted file mode 100644
index 21656a94e..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_curl.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-
-/*******************************************************************************
- * curl get test
- ******************************************************************************/
-
-bool test_curl_get()
-{
-	chunk_t chunk;
-
-	if (lib->fetcher->fetch(lib->fetcher, "http://www.strongswan.org",
-							&chunk, FETCH_END) != SUCCESS)
-	{
-		return FALSE;
-	}
-	free(chunk.ptr);
-
-	if (lib->fetcher->fetch(lib->fetcher, "http://www.google.com",
-							&chunk, FETCH_END) != SUCCESS)
-	{
-		return FALSE;
-	}
-	free(chunk.ptr);
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
deleted file mode 100644
index 75244ab8f..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <collections/enumerator.h>
-
-#include <unistd.h>
-
-/*******************************************************************************
- * fetch public key from mediation database
- ******************************************************************************/
-
-bool test_med_db()
-{
-	chunk_t found, keyid = chunk_from_chars(
-		0xed,0x90,0xe6,0x4f,0xec,0xa2,0x1f,0x4b,
-		0x68,0x97,0x99,0x24,0x22,0xe0,0xde,0x21,
-		0xb9,0xd6,0x26,0x29
-	);
-	identification_t *id;
-	enumerator_t *enumerator;
-	public_key_t *public;
-	auth_cfg_t *auth;
-	bool good = FALSE;
-
-	id = identification_create_from_encoding(ID_KEY_ID, keyid);
-	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-														KEY_ANY, id, NULL);
-	while (enumerator->enumerate(enumerator, &public, &auth))
-	{
-		good = public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &found);
-		if (good)
-		{
-			good = chunk_equals(id->get_encoding(id), found);
-		}
-	}
-	enumerator->destroy(enumerator);
-	id->destroy(id);
-	return good;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mysql.c b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
deleted file mode 100644
index eda238623..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_mysql.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <collections/enumerator.h>
-
-/*******************************************************************************
- * mysql simple test
- ******************************************************************************/
-bool test_mysql()
-{
-	database_t *db;
-	char *txt = "I'm a superduper test";
-	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	int row;
-	chunk_t qdata;
-	char *qtxt;
-	bool good = FALSE;
-	enumerator_t *enumerator;
-
-	db = lib->db->create(lib->db, "mysql://testuser:testpass@localhost/test");
-	if (!db)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "CREATE TABLE test ("
-								"id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, "
-								"txt TEXT, data BLOB)") < 0)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)",
-					DB_TEXT, txt, DB_BLOB, data) < 0)
-	{
-		return FALSE;
-	}
-	if (row != 1)
-	{
-		return FALSE;
-	}
-	enumerator = db->query(db, "SELECT txt, data FROM test WHERE id = ?",
-						   DB_INT, row,
-						   DB_TEXT, DB_BLOB);
-	if (!enumerator)
-	{
-		return FALSE;
-	}
-	while (enumerator->enumerate(enumerator, &qtxt, &qdata))
-	{
-		if (good)
-		{	/* only one row */
-			good = FALSE;
-			break;
-		}
-		if (streq(qtxt, txt) && chunk_equals(data, qdata))
-		{
-			good = TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!good)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "DELETE FROM test WHERE id = ?", DB_INT, row) != 1)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "DROP TABLE test") < 0)
-	{
-		return FALSE;
-	}
-	db->destroy(db);
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_pool.c b/src/libcharon/plugins/unit_tester/tests/test_pool.c
deleted file mode 100644
index f36953f3a..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_pool.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <time.h>
-
-#include <library.h>
-#include <threading/thread.h>
-#include <hydra.h>
-
-#define ALLOCS 1000
-#define THREADS 20
-
-static void* testing(void *thread)
-{
-	int i;
-	host_t *addr[ALLOCS];
-	identification_t *id[ALLOCS];
-	linked_list_t *pools;
-
-	/* prepare identities */
-	for (i = 0; i < ALLOCS; i++)
-	{
-		char buf[256];
-
-		snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i);
-		id[i] = identification_create_from_string(buf);
-	}
-
-	pools = linked_list_create();
-	pools->insert_last(pools, "test");
-
-	/* allocate addresses */
-	for (i = 0; i < ALLOCS; i++)
-	{
-		addr[i] = hydra->attributes->acquire_address(hydra->attributes,
-													 pools, id[i], NULL);
-		if (!addr[i])
-		{
-			pools->destroy(pools);
-			return (void*)FALSE;
-		}
-	}
-
-	/* release addresses */
-	for (i = 0; i < ALLOCS; i++)
-	{
-		hydra->attributes->release_address(hydra->attributes,
-										   pools, addr[i], id[i]);
-	}
-
-	pools->destroy(pools);
-
-	/* cleanup */
-	for (i = 0; i < ALLOCS; i++)
-	{
-		addr[i]->destroy(addr[i]);
-		id[i]->destroy(id[i]);
-	}
-	return (void*)TRUE;
-}
-
-
-/*******************************************************************************
- * SQL pool performance test
- ******************************************************************************/
-bool test_pool()
-{
-	thread_t *threads[THREADS];
-	uintptr_t i;
-
-	for (i = 0; i < THREADS; i++)
-	{
-		if (!(threads[i] = thread_create((thread_main_t)testing, (void*)i)))
-		{
-			return FALSE;
-		}
-	}
-	for (i = 0; i < THREADS; i++)
-	{
-		bool *res = threads[i]->join(threads[i]);
-		if (!res)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
deleted file mode 100644
index 99490b566..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <collections/enumerator.h>
-
-#include <unistd.h>
-
-
-#define DBFILE "/tmp/strongswan-test.db"
-
-/*******************************************************************************
- * sqlite simple test
- ******************************************************************************/
-bool test_sqlite()
-{
-	database_t *db;
-	char *txt = "I'm a superduper test";
-	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	int row;
-	chunk_t qdata;
-	char *qtxt;
-	bool good = FALSE;
-	enumerator_t *enumerator;
-
-	db = lib->db->create(lib->db, "sqlite://" DBFILE);
-	if (!db)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "CREATE TABLE test (txt TEXT, data BLOB)") < 0)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)",
-					DB_TEXT, txt, DB_BLOB, data) < 0)
-	{
-		return FALSE;
-	}
-	if (row != 1)
-	{
-		return FALSE;
-	}
-	enumerator = db->query(db, "SELECT txt, data FROM test WHERE oid = ?",
-						   DB_INT, row,
-						   DB_TEXT, DB_BLOB);
-	if (!enumerator)
-	{
-		return FALSE;
-	}
-	while (enumerator->enumerate(enumerator, &qtxt, &qdata))
-	{
-		if (good)
-		{	/* only one row */
-			good = FALSE;
-			break;
-		}
-		if (streq(qtxt, txt) && chunk_equals(data, qdata))
-		{
-			good = TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!good)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "DELETE FROM test WHERE oid = ?", DB_INT, row) != 1)
-	{
-		return FALSE;
-	}
-	if (db->execute(db, NULL, "DROP TABLE test") < 0)
-	{
-		return FALSE;
-	}
-	db->destroy(db);
-	unlink(DBFILE);
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.c b/src/libcharon/plugins/unit_tester/unit_tester.c
deleted file mode 100644
index ea7ffca04..000000000
--- a/src/libcharon/plugins/unit_tester/unit_tester.c
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Copyright (C) 2013 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "unit_tester.h"
-
-#include <daemon.h>
-
-typedef struct private_unit_tester_t private_unit_tester_t;
-typedef struct unit_test_t unit_test_t;
-typedef enum test_status_t test_status_t;
-
-/**
- * private data of unit_tester
- */
-struct private_unit_tester_t {
-
-	/**
-	 * public functions
-	 */
-	unit_tester_t public;
-};
-
-struct unit_test_t {
-
-	/**
-	 * name of the test
-	 */
-	char *name;
-
-	/**
-	 * test function
-	 */
-	bool (*test)(void);
-
-	/**
-	 * run the test?
-	 */
-	bool enabled;
-};
-
-#undef DEFINE_TEST
-#define DEFINE_TEST(name, function, enabled) bool function();
-#include <plugins/unit_tester/tests.h>
-#undef DEFINE_TEST
-#define DEFINE_TEST(name, function, enabled) {name, function, enabled},
-static unit_test_t tests[] = {
-#include <plugins/unit_tester/tests.h>
-};
-
-static void run_tests(private_unit_tester_t *this)
-{
-	int i, run = 0, failed = 0, success = 0, skipped = 0;
-
-	DBG1(DBG_CFG, "running unit tests, %d tests registered",
-		 sizeof(tests)/sizeof(unit_test_t));
-
-	for (i = 0; i < sizeof(tests)/sizeof(unit_test_t); i++)
-	{
-		if (tests[i].enabled)
-		{
-			run++;
-			if (tests[i].test())
-			{
-				DBG1(DBG_CFG, "test '%s' successful", tests[i].name);
-				success++;
-			}
-			else
-			{
-				DBG1(DBG_CFG, "test '%s' failed", tests[i].name);
-				failed++;
-			}
-		}
-		else
-		{
-			DBG1(DBG_CFG, "test '%s' disabled", tests[i].name);
-			skipped++;
-		}
-	}
-	DBG1(DBG_CFG, "%d/%d tests successful (%d failed, %d disabled)",
-		 success, run, failed, skipped);
-}
-
-METHOD(plugin_t, get_name, char*,
-	private_unit_tester_t *this)
-{
-	return "unit-tester";
-}
-
-/**
- * We currently don't depend explicitly on any plugin features.  But in case
- * activated tests depend on such features we at least try to run them in plugin
- * order.
- */
-static bool plugin_cb(private_unit_tester_t *this,
-					  plugin_feature_t *feature, bool reg, void *cb_data)
-{
-	if (reg)
-	{
-		run_tests(this);
-	}
-	return TRUE;
-}
-
-METHOD(plugin_t, get_features, int,
-	private_unit_tester_t *this, plugin_feature_t *features[])
-{
-	static plugin_feature_t f[] = {
-		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
-			PLUGIN_PROVIDE(CUSTOM, "unit-tester"),
-	};
-	*features = f;
-	return countof(f);
-}
-
-METHOD(plugin_t, destroy, void,
-	private_unit_tester_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *unit_tester_plugin_create()
-{
-	private_unit_tester_t *this;
-
-	INIT(this,
-		.public = {
-			.plugin = {
-				.get_name = _get_name,
-				.get_features = _get_features,
-				.destroy = _destroy,
-			},
-		},
-	);
-
-	return &this->public.plugin;
-}
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 1e04ebced..4f0a7e736 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index bcef0dc25..9fc9be61a 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -50,8 +50,8 @@ struct private_unity_handler_t {
  * Traffic selector entry for networks to include under a given IKE_SA
  */
 typedef struct {
-	/** associated IKE_SA, unique ID */
-	u_int32_t sa;
+	/** associated IKE_SA COOKIEs */
+	ike_sa_id_t *id;
 	/** traffic selector to include/exclude */
 	traffic_selector_t *ts;
 } entry_t;
@@ -61,6 +61,7 @@ typedef struct {
  */
 static void entry_destroy(entry_t *this)
 {
+	this->id->destroy(this->id);
 	this->ts->destroy(this->ts);
 	free(this);
 }
@@ -131,9 +132,10 @@ static bool add_include(private_unity_handler_t *this, chunk_t data)
 	while (list->remove_first(list, (void**)&ts) == SUCCESS)
 	{
 		INIT(entry,
-			.sa = ike_sa->get_unique_id(ike_sa),
+			.id = ike_sa->get_id(ike_sa),
 			.ts = ts,
 		);
+		entry->id = entry->id->clone(entry->id);
 
 		this->mutex->lock(this->mutex);
 		this->include->insert_last(this->include, entry);
@@ -171,7 +173,7 @@ static bool remove_include(private_unity_handler_t *this, chunk_t data)
 		enumerator = this->include->create_enumerator(this->include);
 		while (enumerator->enumerate(enumerator, &entry))
 		{
-			if (entry->sa == ike_sa->get_unique_id(ike_sa) &&
+			if (entry->id->equals(entry->id, ike_sa->get_id(ike_sa)) &&
 				ts->equals(ts, entry->ts))
 			{
 				this->include->remove_at(this->include, enumerator);
@@ -209,8 +211,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 	char name[128];
 	host_t *host;
 
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													entry->sa, FALSE);
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, entry->id);
 	if (ike_sa)
 	{
 		create_shunt_name(ike_sa, entry->ts, name, sizeof(name));
@@ -267,9 +268,10 @@ static bool add_exclude(private_unity_handler_t *this, chunk_t data)
 	while (list->remove_first(list, (void**)&ts) == SUCCESS)
 	{
 		INIT(entry,
-			.sa = ike_sa->get_unique_id(ike_sa),
+			.id = ike_sa->get_id(ike_sa),
 			.ts = ts,
 		);
+		entry->id = entry->id->clone(entry->id);
 
 		/* we can't install the shunt policy yet, as we don't know the virtual IP.
 		 * Defer installation using an async callback. */
@@ -315,7 +317,7 @@ static bool remove_exclude(private_unity_handler_t *this, chunk_t data)
 }
 
 METHOD(attribute_handler_t, handle, bool,
-	private_unity_handler_t *this, identification_t *id,
+	private_unity_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	switch (type)
@@ -330,7 +332,7 @@ METHOD(attribute_handler_t, handle, bool,
 }
 
 METHOD(attribute_handler_t, release, void,
-	private_unity_handler_t *this, identification_t *server,
+	private_unity_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	switch (type)
@@ -378,10 +380,9 @@ METHOD(enumerator_t, enumerate_attributes, bool,
 }
 
 METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
-	unity_handler_t *this, identification_t *id, linked_list_t *vips)
+	unity_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips)
 {
 	attribute_enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
 
 	ike_sa = charon->bus->get_sa(charon->bus);
 	if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 ||
@@ -402,7 +403,7 @@ typedef struct {
 	/** mutex to unlock */
 	mutex_t *mutex;
 	/** IKE_SA ID to filter for */
-	u_int32_t id;
+	ike_sa_id_t *id;
 } include_filter_t;
 
 /**
@@ -411,7 +412,7 @@ typedef struct {
 static bool include_filter(include_filter_t *data,
 						   entry_t **entry, traffic_selector_t **ts)
 {
-	if ((*entry)->sa == data->id)
+	if (data->id->equals(data->id, (*entry)->id))
 	{
 		*ts = (*entry)->ts;
 		return TRUE;
@@ -429,7 +430,7 @@ static void destroy_filter(include_filter_t *data)
 }
 
 METHOD(unity_handler_t, create_include_enumerator, enumerator_t*,
-	private_unity_handler_t *this, u_int32_t id)
+	private_unity_handler_t *this, ike_sa_id_t *id)
 {
 	include_filter_t *data;
 
diff --git a/src/libcharon/plugins/unity/unity_handler.h b/src/libcharon/plugins/unity/unity_handler.h
index 8656fd372..18efe293b 100644
--- a/src/libcharon/plugins/unity/unity_handler.h
+++ b/src/libcharon/plugins/unity/unity_handler.h
@@ -21,6 +21,7 @@
 #ifndef UNITY_HANDLER_H_
 #define UNITY_HANDLER_H_
 
+#include <sa/ike_sa_id.h>
 #include <attributes/attribute_handler.h>
 
 typedef struct unity_handler_t unity_handler_t;
@@ -38,11 +39,11 @@ struct unity_handler_t {
 	/**
 	 * Create an enumerator over Split-Include attributes received for an IKE_SA.
 	 *
-	 * @param id			IKE_SA unique ID to get Split-Includes for
+	 * @param id			IKE_SA ID to get Split-Includes for
 	 * @return				enumerator over traffic_selector_t*
 	 */
 	enumerator_t* (*create_include_enumerator)(unity_handler_t *this,
-											   u_int32_t id);
+											   ike_sa_id_t *id);
 
 	/**
 	 * Destroy a unity_handler_t.
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
index 52a2c7f24..227d24be8 100644
--- a/src/libcharon/plugins/unity/unity_narrow.c
+++ b/src/libcharon/plugins/unity/unity_narrow.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -16,6 +19,8 @@
 #include "unity_narrow.h"
 
 #include <daemon.h>
+#include <encoding/payloads/id_payload.h>
+#include <collections/hashtable.h>
 
 typedef struct private_unity_narrow_t private_unity_narrow_t;
 
@@ -33,6 +38,11 @@ struct private_unity_narrow_t {
 	 * Unity attribute handler
 	 */
 	unity_handler_t *handler;
+
+	/**
+	 * IKE_SAs for which we received 0.0.0.0/0 as remote traffic selector
+	 */
+	hashtable_t *wildcard_ts;
 };
 
 /**
@@ -65,7 +75,7 @@ static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
 	enumerator_t *enumerator;
 
 	enumerator = this->handler->create_include_enumerator(this->handler,
-											ike_sa->get_unique_id(ike_sa));
+											ike_sa->get_id(ike_sa));
 	while (enumerator->enumerate(enumerator, &current))
 	{
 		if (orig == NULL)
@@ -149,7 +159,7 @@ static bool has_split_includes(private_unity_narrow_t *this, ike_sa_t *ike_sa)
 	bool has;
 
 	enumerator = this->handler->create_include_enumerator(this->handler,
-												ike_sa->get_unique_id(ike_sa));
+												ike_sa->get_id(ike_sa));
 	has = enumerator->enumerate(enumerator, &ts);
 	enumerator->destroy(enumerator);
 
@@ -191,11 +201,19 @@ METHOD(listener_t, narrow, bool,
 			{
 				case NARROW_INITIATOR_PRE_AUTH:
 				case NARROW_RESPONDER:
-					narrow_pre(local, "us");
+					if (this->wildcard_ts->get(this->wildcard_ts, ike_sa))
+					{
+						narrow_pre(local, "us");
+
+					}
 					break;
 				case NARROW_INITIATOR_POST_AUTH:
 				case NARROW_RESPONDER_POST:
-					narrow_responder_post(child_sa->get_config(child_sa), local);
+					if (this->wildcard_ts->get(this->wildcard_ts, ike_sa))
+					{
+						narrow_responder_post(child_sa->get_config(child_sa),
+											  local);
+					}
 					break;
 				default:
 					break;
@@ -205,9 +223,69 @@ METHOD(listener_t, narrow, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, message, bool,
+	private_unity_narrow_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming, bool plain)
+{
+	traffic_selector_t *tsr = NULL, *wildcard;
+	enumerator_t *enumerator;
+	id_payload_t *id_payload;
+	payload_t *payload;
+	bool first = TRUE;
+
+	if (!incoming || !plain ||
+		message->get_exchange_type(message) != QUICK_MODE ||
+		!ike_sa || !ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
+	{
+		return TRUE;
+	}
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == PLV1_ID)
+		{
+			if (!first)
+			{
+				id_payload = (id_payload_t*)payload;
+				tsr = id_payload->get_ts(id_payload);
+				break;
+			}
+			first = FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tsr)
+	{
+		return TRUE;
+	}
+	wildcard = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
+	if (tsr->equals(tsr, wildcard))
+	{
+		this->wildcard_ts->put(this->wildcard_ts, ike_sa, ike_sa);
+	}
+	else
+	{
+		this->wildcard_ts->remove(this->wildcard_ts, ike_sa);
+	}
+	wildcard->destroy(wildcard);
+	tsr->destroy(tsr);
+	return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_unity_narrow_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (!up)
+	{
+		this->wildcard_ts->remove(this->wildcard_ts, ike_sa);
+	}
+	return TRUE;
+}
+
 METHOD(unity_narrow_t, destroy, void,
 	private_unity_narrow_t *this)
 {
+	this->wildcard_ts->destroy(this->wildcard_ts);
 	free(this);
 }
 
@@ -222,10 +300,14 @@ unity_narrow_t *unity_narrow_create(unity_handler_t *handler)
 		.public = {
 			.listener = {
 				.narrow = _narrow,
+				.message = _message,
+				.ike_updown = _ike_updown,
 			},
 			.destroy = _destroy,
 		},
 		.handler = handler,
+		.wildcard_ts = hashtable_create(hashtable_hash_ptr,
+										hashtable_equals_ptr, 4),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/unity/unity_plugin.c b/src/libcharon/plugins/unity/unity_plugin.c
index 9e4571d34..b7a3fee2e 100644
--- a/src/libcharon/plugins/unity/unity_plugin.c
+++ b/src/libcharon/plugins/unity/unity_plugin.c
@@ -19,7 +19,6 @@
 #include "unity_provider.h"
 
 #include <daemon.h>
-#include <hydra.h>
 
 typedef struct private_unity_plugin_t private_unity_plugin_t;
 
@@ -63,19 +62,19 @@ static bool plugin_cb(private_unity_plugin_t *this,
 {
 	if (reg)
 	{
-		hydra->attributes->add_handler(hydra->attributes,
-									   &this->handler->handler);
-		hydra->attributes->add_provider(hydra->attributes,
-										&this->provider->provider);
+		charon->attributes->add_handler(charon->attributes,
+										&this->handler->handler);
+		charon->attributes->add_provider(charon->attributes,
+										 &this->provider->provider);
 		charon->bus->add_listener(charon->bus, &this->narrower->listener);
 	}
 	else
 	{
 		charon->bus->remove_listener(charon->bus, &this->narrower->listener);
-		hydra->attributes->remove_handler(hydra->attributes,
-										  &this->handler->handler);
-		hydra->attributes->remove_provider(hydra->attributes,
-										   &this->provider->provider);
+		charon->attributes->remove_handler(charon->attributes,
+										   &this->handler->handler);
+		charon->attributes->remove_provider(charon->attributes,
+											&this->provider->provider);
 
 	}
 	return TRUE;
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
index 86f81fcfb..1e297a39e 100644
--- a/src/libcharon/plugins/unity/unity_provider.c
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -135,19 +135,17 @@ static bool use_ts(traffic_selector_t *ts)
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
-	private_unity_provider_t *this, linked_list_t *pools, identification_t *id,
+	private_unity_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
 	linked_list_t *vips)
 {
 	attribute_enumerator_t *attr_enum;
 	enumerator_t *enumerator;
 	linked_list_t *list, *current;
 	traffic_selector_t *ts;
-	ike_sa_t *ike_sa;
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
 
-	ike_sa = charon->bus->get_sa(charon->bus);
-	if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 ||
+	if (ike_sa->get_version(ike_sa) != IKEV1 ||
 		!ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY) ||
 		!vips->get_count(vips))
 	{
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 834d373f3..619d17a0e 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
index 0894d2d07..72d7f7da3 100644
--- a/src/libcharon/plugins/updown/updown_handler.c
+++ b/src/libcharon/plugins/updown/updown_handler.c
@@ -62,19 +62,13 @@ static void attributes_destroy(attributes_t *this)
 }
 
 METHOD(attribute_handler_t, handle, bool,
-	private_updown_handler_t *this, identification_t *server,
+	private_updown_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	attributes_t *current, *attr = NULL;
 	enumerator_t *enumerator;
-	ike_sa_t *ike_sa;
 	host_t *host;
 
-	ike_sa = charon->bus->get_sa(charon->bus);
-	if (!ike_sa)
-	{
-		return FALSE;
-	}
 	switch (type)
 	{
 		case INTERNAL_IP4_DNS:
@@ -117,12 +111,11 @@ METHOD(attribute_handler_t, handle, bool,
 }
 
 METHOD(attribute_handler_t, release, void,
-	private_updown_handler_t *this, identification_t *server,
+	private_updown_handler_t *this, ike_sa_t *ike_sa,
 	configuration_attribute_type_t type, chunk_t data)
 {
 	attributes_t *attr;
 	enumerator_t *enumerator, *servers;
-	ike_sa_t *ike_sa;
 	host_t *host;
 	bool found = FALSE;
 	int family;
@@ -139,43 +132,39 @@ METHOD(attribute_handler_t, release, void,
 			return;
 	}
 
-	ike_sa = charon->bus->get_sa(charon->bus);
-	if (ike_sa)
+	this->lock->write_lock(this->lock);
+	enumerator = this->attrs->create_enumerator(this->attrs);
+	while (enumerator->enumerate(enumerator, &attr))
 	{
-		this->lock->write_lock(this->lock);
-		enumerator = this->attrs->create_enumerator(this->attrs);
-		while (enumerator->enumerate(enumerator, &attr))
+		if (attr->id == ike_sa->get_unique_id(ike_sa))
 		{
-			if (attr->id == ike_sa->get_unique_id(ike_sa))
+			servers = attr->dns->create_enumerator(attr->dns);
+			while (servers->enumerate(servers, &host))
 			{
-				servers = attr->dns->create_enumerator(attr->dns);
-				while (servers->enumerate(servers, &host))
+				if (host->get_family(host) == family &&
+					chunk_equals(data, host->get_address(host)))
 				{
-					if (host->get_family(host) == family &&
-						chunk_equals(data, host->get_address(host)))
-					{
-						attr->dns->remove_at(attr->dns, servers);
-						host->destroy(host);
-						found = TRUE;
-						break;
-					}
-				}
-				servers->destroy(servers);
-				if (attr->dns->get_count(attr->dns) == 0)
-				{
-					this->attrs->remove_at(this->attrs, enumerator);
-					attributes_destroy(attr);
+					attr->dns->remove_at(attr->dns, servers);
+					host->destroy(host);
+					found = TRUE;
 					break;
 				}
 			}
-			if (found)
+			servers->destroy(servers);
+			if (attr->dns->get_count(attr->dns) == 0)
 			{
+				this->attrs->remove_at(this->attrs, enumerator);
+				attributes_destroy(attr);
 				break;
 			}
 		}
-		enumerator->destroy(enumerator);
-		this->lock->unlock(this->lock);
+		if (found)
+		{
+			break;
+		}
 	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(updown_handler_t, create_dns_enumerator, enumerator_t*,
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 1d15cc55e..be65d599f 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -243,6 +243,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 	me = ike_sa->get_my_host(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
 
+	push_env(envp, countof(envp), "PATH=%s", getenv("PATH"));
 	push_env(envp, countof(envp), "PLUTO_VERSION=1.1");
 	is_host = my_ts->is_host(my_ts, me);
 	if (is_host)
diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c
index d30267dee..60ecfcce6 100644
--- a/src/libcharon/plugins/updown/updown_plugin.c
+++ b/src/libcharon/plugins/updown/updown_plugin.c
@@ -18,7 +18,6 @@
 #include "updown_handler.h"
 
 #include <daemon.h>
-#include <hydra.h>
 
 typedef struct private_updown_plugin_t private_updown_plugin_t;
 
@@ -61,8 +60,8 @@ static bool plugin_cb(private_updown_plugin_t *this,
 							"%s.plugins.updown.dns_handler", FALSE, lib->ns))
 		{
 			this->handler = updown_handler_create();
-			hydra->attributes->add_handler(hydra->attributes,
-										   &this->handler->handler);
+			charon->attributes->add_handler(charon->attributes,
+											&this->handler->handler);
 		}
 		this->listener = updown_listener_create(this->handler);
 		charon->bus->add_listener(charon->bus, &this->listener->listener);
@@ -74,8 +73,8 @@ static bool plugin_cb(private_updown_plugin_t *this,
 		if (this->handler)
 		{
 			this->handler->destroy(this->handler);
-			hydra->attributes->remove_handler(hydra->attributes,
-											  &this->handler->handler);
+			charon->attributes->remove_handler(charon->attributes,
+											   &this->handler->handler);
 		}
 	}
 	return TRUE;
diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am
index da71de394..b25396085 100644
--- a/src/libcharon/plugins/vici/Makefile.am
+++ b/src/libcharon/plugins/vici/Makefile.am
@@ -74,3 +74,7 @@ SUBDIRS =
 if USE_RUBY_GEMS
 SUBDIRS += ruby
 endif
+
+if USE_PYTHON_EGGS
+SUBDIRS += python
+endif
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index 34546b905..b63226daa 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -81,6 +81,7 @@ host_triplet = @host@
 TESTS = vici_tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
 @USE_RUBY_GEMS_TRUE@am__append_1 = ruby
+@USE_PYTHON_EGGS_TRUE@am__append_2 = python
 subdir = src/libcharon/plugins/vici
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -269,7 +270,7 @@ am__tty_colors = { \
     std=''; \
   fi; \
 }
-DIST_SUBDIRS = ruby
+DIST_SUBDIRS = ruby python
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -321,6 +322,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -381,10 +383,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -458,6 +462,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -571,7 +577,7 @@ vici_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la
 
-SUBDIRS = $(am__append_1)
+SUBDIRS = $(am__append_1) $(am__append_2)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 272491052..0ce4271b0 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -145,25 +145,25 @@ the following C array:
 
 	char msg[] = {
 		/* key1 = value1 */
-		2, 4,'k','e','y','1', 0,6,'v','a','l','u','e','1',
+		3, 4,'k','e','y','1', 0,6,'v','a','l','u','e','1',
 		/* section1 */
-		0, 8,'s','e','c','t','i','o','n','1',
+		1, 8,'s','e','c','t','i','o','n','1',
 		/* sub-section */
-		0, 11,'s','u','b','-','s','e','c','t','i','o','n',
+		1, 11,'s','u','b','-','s','e','c','t','i','o','n',
 		/* key2 = value2 */
-		2, 4,'k','e','y','2', 0,6,'v','a','l','u','e','2',
+		3, 4,'k','e','y','2', 0,6,'v','a','l','u','e','2',
 		/* sub-section end */
-		1,
+		2,
 		/* list1 */
-		3, 5, 'l','i','s','t','1',
+		4, 5, 'l','i','s','t','1',
 		/* item1 */
-		4, 0,5,'i','t','e','m','1',
+		5, 0,5,'i','t','e','m','1',
 		/* item2 */
-		4, 0,5,'i','t','e','m','2',
+		5, 0,5,'i','t','e','m','2',
 		/* list1 end */
-		5,
+		6,
 		/* section1 end */
-		1,
+		2,
 	};
 
 ## Client-initiated commands ##
@@ -559,6 +559,7 @@ command.
 			]
 			child-sas = {
 				<child-sa-name>* = {
+					uniqueid = <unique CHILD_SA identifier>
 					reqid = <reqid of CHILD_SA>
 					state = <state string of CHILD_SA>
 					mode = <IPsec mode, tunnel|transport|beet>
@@ -820,9 +821,9 @@ during encoding.
 
 ## Connecting to the daemon ##
 
-To create a connection to the daemon, a socket must be passed to the
-_Connection_ constructor. There is no default, but on Unix systems usually
-a Unix socket over _/var/run/charon.vici_ is used:
+To create a connection to the daemon, a socket can be passed to the
+_Connection_ constructor. If none is passed, a default Unix socket at
+_/var/run/charon.vici_ is used:
 
 	require "vici"
 	require "socket"
@@ -854,3 +855,73 @@ _list-conns_ command and implicitly the _list-conn_ event:
 
 For more details about the ruby gem refer to the comments in the gem source
 code or the generated documentation.
+
+# vici Python egg #
+
+The _vici Python egg_ is a pure Python implementation of the VICI protocol to
+implement client applications. It is provided in the _python_ subdirectory, and
+gets built and installed if strongSwan has been _./configure_'d with
+_--enable-vici_ and _--enable-python-eggs_.
+
+The _vici_ module provides a _Session()_ constructor for a high level interface,
+the underlying classes are usually not required to build Python applications
+using VICI. The _Session_ class provides methods for the supported VICI
+commands.
+
+To represent the VICI message data tree, the library converts the binary
+encoding to Python data types. The _Session_ class takes and returns Python
+objects for the exchanged message data:
+ * Sections get encoded as OrderedDict, containing other sections, or
+ * Key/Values, where the values are strings as dictionary values
+ * Lists get encoded as Python Lists with string values
+Values that do not conform to Python dict or list get converted to strings using
+str().
+
+## Connecting to the daemon ##
+
+To create a connection to the daemon, a socket can be passed to the _Session_
+constructor. If none is passed, a default Unix socket at _/var/run/charon.vici_
+is used:
+
+	import vici
+	import socket
+
+	s = socket.socket(socket.AF_UNIX)
+	s.connect("/var/run/charon.vici")
+	v = vici.Session(s)
+
+## A simple client request ##
+
+An example to print the daemon version information is as simple as:
+
+	ver = v.version()
+
+	print "{daemon} {version} ({sysname}, {release}, {machine})".format(**ver)
+
+## A request with response iteration ##
+
+The _Session_ class returns an iterable Python generator for streamed events to
+continuously stream objects to the caller. The following example lists all
+loaded connections using the _list-conns_ command and implicitly the _list-conn_
+event:
+
+	for conn in v.list_conns():
+		for key in conn:
+			print key
+
+Please note that if the returned generator is not iterated completely, it must
+be closed using _close()_. This is implicitly done when breaking from a loop,
+but an explicit call may be required when directly iterating the generator with
+_next()_.
+
+## Sorting in dictionaries ##
+
+In VICI, in some message trees the order of objects in dictionary matters. In
+contrast to ruby Hashes, Python dictionaries do not preserve order of added
+objects. It is therefore recommended to use OrderedDicts instead of the default
+dictionaries. Objects returned by the library use OrderedDicts.
+
+## API documentation ##
+
+For more details about the Python egg refer to the comments in the Python source
+code.
diff --git a/src/libcharon/plugins/vici/libvici.c b/src/libcharon/plugins/vici/libvici.c
index c0205ccb6..7c98c8b69 100644
--- a/src/libcharon/plugins/vici/libvici.c
+++ b/src/libcharon/plugins/vici/libvici.c
@@ -427,14 +427,8 @@ vici_res_t* vici_submit(vici_req_t *req, vici_conn_t *conn)
 
 void vici_free_req(vici_req_t *req)
 {
-	vici_message_t *message;
-
 	free(req->name);
-	message = req->b->finalize(req->b);
-	if (message)
-	{
-		message->destroy(message);
-	}
+	req->b->destroy(req->b);
 	free(req);
 }
 
diff --git a/src/libcharon/plugins/vici/python/LICENSE b/src/libcharon/plugins/vici/python/LICENSE
new file mode 100644
index 000000000..111523ca8
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/LICENSE
@@ -0,0 +1,19 @@
+Copyright (c) 2015 Björn Schuberg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/src/libcharon/plugins/vici/python/MANIFEST.in b/src/libcharon/plugins/vici/python/MANIFEST.in
new file mode 100644
index 000000000..1aba38f67
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/MANIFEST.in
@@ -0,0 +1 @@
+include LICENSE
diff --git a/src/libcharon/plugins/vici/python/Makefile.am b/src/libcharon/plugins/vici/python/Makefile.am
new file mode 100644
index 000000000..f51737870
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/Makefile.am
@@ -0,0 +1,33 @@
+EXTRA_DIST = LICENSE MANIFEST.in \
+	setup.py.in \
+	vici/test/__init__.py \
+	vici/test/test_protocol.py \
+	vici/__init__.py \
+	vici/compat.py \
+	vici/exception.py \
+	vici/protocol.py \
+	vici/session.py
+
+setup.py: $(srcdir)/setup.py.in
+	$(AM_V_GEN) sed \
+	-e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/setup.py.in > $@
+
+all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+
+dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) setup.py
+	(cd $(srcdir); $(PYTHON) setup.py bdist_egg \
+		-b $(shell readlink -f $(builddir))/build \
+		-d $(shell readlink -f $(builddir))/dist)
+
+clean-local: setup.py
+	$(PYTHON) setup.py clean -a
+	rm -rf vici.egg-info dist setup.py
+
+install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+	$(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \
+		dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+
+if USE_PY_TEST
+  TESTS = $(PY_TEST)
+endif
diff --git a/src/_updown_espmark/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index 51a0d9a13..3a5e5ea72 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -13,7 +13,6 @@
 # PARTICULAR PURPOSE.
 
 @SET_MAKE@
-
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -78,9 +77,8 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/_updown_espmark
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(dist_ipsec_SCRIPTS) $(dist_man8_MANS)
+subdir = src/libcharon/plugins/vici/python
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -98,35 +96,6 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-SCRIPTS = $(dist_ipsec_SCRIPTS)
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -146,10 +115,29 @@ am__can_run_installinfo = \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man8_MANS)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -176,6 +164,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -236,10 +225,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -313,6 +304,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -371,8 +364,17 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-dist_ipsec_SCRIPTS = _updown_espmark
-dist_man8_MANS = _updown_espmark.8
+EXTRA_DIST = LICENSE MANIFEST.in \
+	setup.py.in \
+	vici/test/__init__.py \
+	vici/test/test_protocol.py \
+	vici/__init__.py \
+	vici/compat.py \
+	vici/exception.py \
+	vici/protocol.py \
+	vici/session.py
+
+@USE_PY_TEST_TRUE@TESTS = $(PY_TEST)
 all: all-am
 
 .SUFFIXES:
@@ -385,9 +387,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/_updown_espmark/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/python/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/_updown_espmark/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/vici/python/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -406,88 +408,12 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
-install-dist_ipsecSCRIPTS: $(dist_ipsec_SCRIPTS)
-	@$(NORMAL_INSTALL)
-	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n' \
-	    -e 'h;s|.*|.|' \
-	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
-	      if (++n[d] == $(am__install_max)) { \
-		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
-	    else { print "f", d "/" $$4, $$1 } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	     test -z "$$files" || { \
-	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
-	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
-	     } \
-	; done
-
-uninstall-dist_ipsecSCRIPTS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	       sed -e 's,.*/,,;$(transform)'`; \
-	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man8: $(dist_man8_MANS)
-	@$(NORMAL_INSTALL)
-	@list1='$(dist_man8_MANS)'; \
-	list2=''; \
-	test -n "$(man8dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.8[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man8:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags TAGS:
 
 ctags CTAGS:
@@ -495,6 +421,99 @@ ctags CTAGS:
 cscope cscopelist:
 
 
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -526,12 +545,10 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
 check: check-am
-all-am: Makefile $(SCRIPTS) $(MANS)
+all-am: Makefile all-local
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
 install: install-am
 install-exec: install-exec-am
 install-data: install-data-am
@@ -564,7 +581,7 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool mostlyclean-am
+clean-am: clean-generic clean-libtool clean-local mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
@@ -582,13 +599,13 @@ info: info-am
 
 info-am:
 
-install-data-am: install-dist_ipsecSCRIPTS install-man
+install-data-am:
 
 install-dvi: install-dvi-am
 
 install-dvi-am:
 
-install-exec-am:
+install-exec-am: install-exec-local
 
 install-html: install-html-am
 
@@ -598,7 +615,7 @@ install-info: install-info-am
 
 install-info-am:
 
-install-man: install-man8
+install-man:
 
 install-pdf: install-pdf-am
 
@@ -626,26 +643,43 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-dist_ipsecSCRIPTS uninstall-man
+uninstall-am:
 
-uninstall-man: uninstall-man8
+.MAKE: check-am install-am install-strip
 
-.MAKE: install-am install-strip
-
-.PHONY: all all-am check check-am clean clean-generic clean-libtool \
-	cscopelist-am ctags-am distclean distclean-generic \
-	distclean-libtool distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am \
-	install-dist_ipsecSCRIPTS install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man install-man8 \
+.PHONY: all all-am all-local check check-TESTS check-am clean \
+	clean-generic clean-libtool clean-local cscopelist-am ctags-am \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-local install-html \
+	install-html-am install-info install-info-am install-man \
 	install-pdf install-pdf-am install-ps install-ps-am \
 	install-strip installcheck installcheck-am installdirs \
 	maintainer-clean maintainer-clean-generic mostlyclean \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags-am uninstall uninstall-am uninstall-dist_ipsecSCRIPTS \
-	uninstall-man uninstall-man8
+	tags-am uninstall uninstall-am
+
+
+setup.py: $(srcdir)/setup.py.in
+	$(AM_V_GEN) sed \
+	-e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/setup.py.in > $@
+
+all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+
+dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) setup.py
+	(cd $(srcdir); $(PYTHON) setup.py bdist_egg \
+		-b $(shell readlink -f $(builddir))/build \
+		-d $(shell readlink -f $(builddir))/dist)
+
+clean-local: setup.py
+	$(PYTHON) setup.py clean -a
+	rm -rf vici.egg-info dist setup.py
 
+install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+	$(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \
+		dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/vici/python/setup.py.in b/src/libcharon/plugins/vici/python/setup.py.in
new file mode 100644
index 000000000..0e4ad8236
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/setup.py.in
@@ -0,0 +1,34 @@
+from setuptools import setup
+
+
+long_description = (
+    "The strongSwan VICI protocol allows external application to monitor, "
+    "configure and control the IKE daemon charon. This python package provides "
+    "a native client side implementation of the VICI protocol, well suited to "
+    "script automated tasks in a reliable way."
+)
+
+setup(
+    name="vici",
+    version="@EGG_VERSION@",
+    description="Native python interface for strongSwan VICI",
+    author="Bjorn Schuberg",
+    url="https://wiki.strongswan.org/projects/strongswan/wiki/Vici",
+    license="MIT",
+    packages=["vici"],
+    long_description=long_description,
+    include_package_data=True,
+    classifiers=(
+        "Development Status :: 3 - Alpha",
+        "Intended Audience :: Developers",
+        "Intended Audience :: System Administrators",
+        "License :: OSI Approved :: MIT License",
+        "Natural Language :: English",
+        "Programming Language :: Python :: 2.7",
+        "Programming Language :: Python :: 3.2",
+        "Programming Language :: Python :: 3.3",
+        "Programming Language :: Python :: 3.4",
+        "Topic :: Security",
+        "Topic :: Software Development :: Libraries",
+    )
+)
diff --git a/src/libcharon/plugins/vici/python/vici/__init__.py b/src/libcharon/plugins/vici/python/vici/__init__.py
new file mode 100644
index 000000000..d314325b6
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/__init__.py
@@ -0,0 +1 @@
+from .session import Session
diff --git a/src/libcharon/plugins/vici/python/vici/compat.py b/src/libcharon/plugins/vici/python/vici/compat.py
new file mode 100644
index 000000000..b5f46992e
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/compat.py
@@ -0,0 +1,14 @@
+# Help functions for compatibility between python version 2 and 3
+
+
+# From http://legacy.python.org/dev/peps/pep-0469
+try:
+    dict.iteritems
+except AttributeError:
+    # python 3
+    def iteritems(d):
+        return iter(d.items())
+else:
+    # python 2
+    def iteritems(d):
+        return d.iteritems()
diff --git a/src/libcharon/plugins/vici/python/vici/exception.py b/src/libcharon/plugins/vici/python/vici/exception.py
new file mode 100644
index 000000000..36384e556
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/exception.py
@@ -0,0 +1,10 @@
+"""Exception types that may be thrown by this library."""
+
+class DeserializationException(Exception):
+    """Encountered an unexpected byte sequence or missing element type."""
+
+class SessionException(Exception):
+    """Session request exception."""
+
+class CommandException(Exception):
+    """Command result exception."""
diff --git a/src/libcharon/plugins/vici/python/vici/protocol.py b/src/libcharon/plugins/vici/python/vici/protocol.py
new file mode 100644
index 000000000..855a7b2e2
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/protocol.py
@@ -0,0 +1,196 @@
+import io
+import socket
+import struct
+
+from collections import namedtuple
+from collections import OrderedDict
+
+from .compat import iteritems
+from .exception import DeserializationException
+
+
+class Transport(object):
+    HEADER_LENGTH = 4
+    MAX_SEGMENT = 512 * 1024
+
+    def __init__(self, sock):
+        self.socket = sock
+
+    def send(self, packet):
+        self.socket.sendall(struct.pack("!I", len(packet)) + packet)
+
+    def receive(self):
+        raw_length = self.socket.recv(self.HEADER_LENGTH)
+        length, = struct.unpack("!I", raw_length)
+        payload = self.socket.recv(length)
+        return payload
+
+    def close(self):
+        self.socket.shutdown(socket.SHUT_RDWR)
+        self.socket.close()
+
+
+class Packet(object):
+    CMD_REQUEST = 0         # Named request message
+    CMD_RESPONSE = 1        # Unnamed response message for a request
+    CMD_UNKNOWN = 2         # Unnamed response if requested command is unknown
+    EVENT_REGISTER = 3      # Named event registration request
+    EVENT_UNREGISTER = 4    # Named event de-registration request
+    EVENT_CONFIRM = 5       # Unnamed confirmation for event (de-)registration
+    EVENT_UNKNOWN = 6       # Unnamed response if event (de-)registration failed
+    EVENT = 7               # Named event message
+
+    ParsedPacket = namedtuple(
+        "ParsedPacket",
+        ["response_type", "payload"]
+    )
+
+    ParsedEventPacket = namedtuple(
+        "ParsedEventPacket",
+        ["response_type", "event_type", "payload"]
+    )
+
+    @classmethod
+    def _named_request(cls, request_type, request, message=None):
+        request = request.encode()
+        payload = struct.pack("!BB", request_type, len(request)) + request
+        if message is not None:
+            return payload + message
+        else:
+            return payload
+
+    @classmethod
+    def request(cls, command, message=None):
+        return cls._named_request(cls.CMD_REQUEST, command, message)
+
+    @classmethod
+    def register_event(cls, event_type):
+        return cls._named_request(cls.EVENT_REGISTER, event_type)
+
+    @classmethod
+    def unregister_event(cls, event_type):
+        return cls._named_request(cls.EVENT_UNREGISTER, event_type)
+
+    @classmethod
+    def parse(cls, packet):
+        stream = FiniteStream(packet)
+        response_type, = struct.unpack("!B", stream.read(1))
+
+        if response_type == cls.EVENT:
+            length, = struct.unpack("!B", stream.read(1))
+            event_type = stream.read(length)
+            return cls.ParsedEventPacket(response_type, event_type, stream)
+        else:
+            return cls.ParsedPacket(response_type, stream)
+
+
+class Message(object):
+    SECTION_START = 1       # Begin a new section having a name
+    SECTION_END = 2         # End a previously started section
+    KEY_VALUE = 3           # Define a value for a named key in the section
+    LIST_START = 4          # Begin a named list for list items
+    LIST_ITEM = 5           # Define an unnamed item value in the current list
+    LIST_END = 6            # End a previously started list
+
+    @classmethod
+    def serialize(cls, message):
+        def encode_named_type(marker, name):
+            name = name.encode()
+            return struct.pack("!BB", marker, len(name)) + name
+
+        def encode_blob(value):
+            if not isinstance(value, bytes):
+                value = str(value).encode()
+            return struct.pack("!H", len(value)) + value
+
+        def serialize_list(lst):
+            segment = bytes()
+            for item in lst:
+                segment += struct.pack("!B", cls.LIST_ITEM) + encode_blob(item)
+            return segment
+
+        def serialize_dict(d):
+            segment = bytes()
+            for key, value in iteritems(d):
+                if isinstance(value, dict):
+                    segment += (
+                        encode_named_type(cls.SECTION_START, key)
+                        + serialize_dict(value)
+                        + struct.pack("!B", cls.SECTION_END)
+                    )
+                elif isinstance(value, list):
+                    segment += (
+                        encode_named_type(cls.LIST_START, key)
+                        + serialize_list(value)
+                        + struct.pack("!B", cls.LIST_END)
+                    )
+                else:
+                    segment += (
+                        encode_named_type(cls.KEY_VALUE, key)
+                        + encode_blob(value)
+                    )
+            return segment
+
+        return serialize_dict(message)
+
+    @classmethod
+    def deserialize(cls, stream):
+        def decode_named_type(stream):
+            length, = struct.unpack("!B", stream.read(1))
+            return stream.read(length).decode()
+
+        def decode_blob(stream):
+            length, = struct.unpack("!H", stream.read(2))
+            return stream.read(length)
+
+        def decode_list_item(stream):
+            marker, = struct.unpack("!B", stream.read(1))
+            while marker == cls.LIST_ITEM:
+                yield decode_blob(stream)
+                marker, = struct.unpack("!B", stream.read(1))
+
+            if marker != cls.LIST_END:
+                raise DeserializationException(
+                    "Expected end of list at {pos}".format(pos=stream.tell())
+                )
+
+        section = OrderedDict()
+        section_stack = []
+        while stream.has_more():
+            element_type, = struct.unpack("!B", stream.read(1))
+            if element_type == cls.SECTION_START:
+                section_name = decode_named_type(stream)
+                new_section = OrderedDict()
+                section[section_name] = new_section
+                section_stack.append(section)
+                section = new_section
+
+            elif element_type == cls.LIST_START:
+                list_name = decode_named_type(stream)
+                section[list_name] = [item for item in decode_list_item(stream)]
+
+            elif element_type == cls.KEY_VALUE:
+                key = decode_named_type(stream)
+                section[key] = decode_blob(stream)
+
+            elif element_type == cls.SECTION_END:
+                if len(section_stack):
+                    section = section_stack.pop()
+                else:
+                    raise DeserializationException(
+                        "Unexpected end of section at {pos}".format(
+                            pos=stream.tell()
+                        )
+                    )
+
+        if len(section_stack):
+            raise DeserializationException("Expected end of section")
+        return section
+
+
+class FiniteStream(io.BytesIO):
+    def __len__(self):
+        return len(self.getvalue())
+
+    def has_more(self):
+        return self.tell() < len(self)
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py
new file mode 100644
index 000000000..dee58699d
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -0,0 +1,327 @@
+import collections
+import socket
+
+from .exception import SessionException, CommandException
+from .protocol import Transport, Packet, Message
+
+
+class Session(object):
+    def __init__(self, sock=None):
+        if sock is None:
+            sock = socket.socket(socket.AF_UNIX)
+            sock.connect("/var/run/charon.vici")
+        self.handler = SessionHandler(Transport(sock))
+
+    def version(self):
+        """Retrieve daemon and system specific version information.
+
+        :return: daemon and system specific version information
+        :rtype: dict
+        """
+        return self.handler.request("version")
+
+    def stats(self):
+        """Retrieve IKE daemon statistics and load information.
+
+        :return: IKE daemon statistics and load information
+        :rtype: dict
+        """
+        return self.handler.request("stats")
+
+    def reload_settings(self):
+        """Reload strongswan.conf settings and any plugins supporting reload.
+        """
+        self.handler.request("reload-settings")
+
+    def initiate(self, sa):
+        """Initiate an SA.
+
+        :param sa: the SA to initiate
+        :type sa: dict
+        :return: generator for logs emitted as dict
+        :rtype: generator
+        """
+        return self.handler.streamed_request("initiate", "control-log", sa)
+
+    def terminate(self, sa):
+        """Terminate an SA.
+
+        :param sa: the SA to terminate
+        :type sa: dict
+        :return: generator for logs emitted as dict
+        :rtype: generator
+        """
+        return self.handler.streamed_request("terminate", "control-log", sa)
+
+    def install(self, policy):
+        """Install a trap, drop or bypass policy defined by a CHILD_SA config.
+
+        :param policy: policy to install
+        :type policy: dict
+        """
+        self.handler.request("install", policy)
+
+    def uninstall(self, policy):
+        """Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
+
+        :param policy: policy to uninstall
+        :type policy: dict
+        """
+        self.handler.request("uninstall", policy)
+
+    def list_sas(self, filters=None):
+        """Retrieve active IKE_SAs and associated CHILD_SAs.
+
+        :param filters: retrieve only matching IKE_SAs (optional)
+        :type filters: dict
+        :return: generator for active IKE_SAs and associated CHILD_SAs as dict
+        :rtype: generator
+        """
+        return self.handler.streamed_request("list-sas", "list-sa", filters)
+
+    def list_policies(self, filters=None):
+        """Retrieve installed trap, drop and bypass policies.
+
+        :param filters: retrieve only matching policies (optional)
+        :type filters: dict
+        :return: generator for installed trap, drop and bypass policies as dict
+        :rtype: generator
+        """
+        return self.handler.streamed_request("list-policies", "list-policy",
+                                             filters)
+
+    def list_conns(self, filters=None):
+        """Retrieve loaded connections.
+
+        :param filters: retrieve only matching configuration names (optional)
+        :type filters: dict
+        :return: generator for loaded connections as dict
+        :rtype: generator
+        """
+        return self.handler.streamed_request("list-conns", "list-conn",
+                                             filters)
+
+    def get_conns(self):
+        """Retrieve connection names loaded exclusively over vici.
+
+        :return: connection names
+        :rtype: dict
+        """
+        return self.handler.request("get-conns")
+
+    def list_certs(self, filters=None):
+        """Retrieve loaded certificates.
+
+        :param filters: retrieve only matching certificates (optional)
+        :type filters: dict
+        :return: generator for loaded certificates as dict
+        :rtype: generator
+        """
+        return self.handler.streamed_request("list-certs", "list-cert", filters)
+
+    def load_conn(self, connection):
+        """Load a connection definition into the daemon.
+
+        :param connection: connection definition
+        :type connection: dict
+        """
+        self.handler.request("load-conn", connection)
+
+    def unload_conn(self, name):
+        """Unload a connection definition.
+
+        :param name: connection definition name
+        :type name: dict
+        """
+        self.handler.request("unload-conn", name)
+
+    def load_cert(self, certificate):
+        """Load a certificate into the daemon.
+
+        :param certificate: PEM or DER encoded certificate
+        :type certificate: dict
+        """
+        self.handler.request("load-cert", certificate)
+
+    def load_key(self, private_key):
+        """Load a private key into the daemon.
+
+        :param private_key: PEM or DER encoded key
+        """
+        self.handler.request("load-key", private_key)
+
+    def load_shared(self, secret):
+        """Load a shared IKE PSK, EAP or XAuth secret into the daemon.
+
+        :param secret: shared IKE PSK, EAP or XAuth secret
+        :type secret: dict
+        """
+        self.handler.request("load-shared", secret)
+
+    def clear_creds(self):
+        """Clear credentials loaded over vici.
+
+        Clear all loaded certificate, private key and shared key credentials.
+        This affects only credentials loaded over vici, but additionally
+        flushes the credential cache.
+        """
+        self.handler.request("clear-creds")
+
+    def load_pool(self, pool):
+        """Load a virtual IP pool.
+
+        Load an in-memory virtual IP and configuration attribute pool.
+        Existing pools with the same name get updated, if possible.
+
+        :param pool: virtual IP and configuration attribute pool
+        :type pool: dict
+        """
+        return self.handler.request("load-pool", pool)
+
+    def unload_pool(self, pool_name):
+        """Unload a virtual IP pool.
+
+        Unload a previously loaded virtual IP and configuration attribute pool.
+        Unloading fails for pools with leases currently online.
+
+        :param pool_name: pool by name
+        :type pool_name: dict
+        """
+        self.handler.request("unload-pool", pool_name)
+
+    def get_pools(self):
+        """Retrieve loaded pools.
+
+        :return: loaded pools
+        :rtype: dict
+        """
+        return self.handler.request("get-pools")
+
+
+class SessionHandler(object):
+    """Handles client command execution requests over vici."""
+
+    def __init__(self, transport):
+        self.transport = transport
+
+    def _communicate(self, packet):
+        """Send packet over transport and parse response.
+
+        :param packet: packet to send
+        :type packet: :py:class:`vici.protocol.Packet`
+        :return: parsed packet in a tuple with message type and payload
+        :rtype: :py:class:`collections.namedtuple`
+        """
+        self.transport.send(packet)
+        return Packet.parse(self.transport.receive())
+
+    def request(self, command, message=None):
+        """Send request with an optional message.
+
+        :param command: command to send
+        :type command: str
+        :param message: message (optional)
+        :type message: str
+        :return: command result
+        :rtype: dict
+        """
+        if message is not None:
+            message = Message.serialize(message)
+        packet = Packet.request(command, message)
+        response = self._communicate(packet)
+
+        if response.response_type != Packet.CMD_RESPONSE:
+            raise SessionException(
+                "Unexpected response type {type}, "
+                "expected '{response}' (CMD_RESPONSE)".format(
+                    type=response.response_type,
+                    response=Packet.CMD_RESPONSE
+                )
+            )
+
+        command_response = Message.deserialize(response.payload)
+        if "success" in command_response:
+            if command_response["success"] != b"yes":
+                raise CommandException(
+                    "Command failed: {errmsg}".format(
+                        errmsg=command_response["errmsg"]
+                    )
+                )
+
+        return command_response
+
+    def streamed_request(self, command, event_stream_type, message=None):
+        """Send command request and collect and return all emitted events.
+
+        :param command: command to send
+        :type command: str
+        :param event_stream_type: event type emitted on command execution
+        :type event_stream_type: str
+        :param message: message (optional)
+        :type message: str
+        :return: generator for streamed event responses as dict
+        :rtype: generator
+        """
+        if message is not None:
+            message = Message.serialize(message)
+
+        # subscribe to event stream
+        packet = Packet.register_event(event_stream_type)
+        response = self._communicate(packet)
+
+        if response.response_type != Packet.EVENT_CONFIRM:
+            raise SessionException(
+                "Unexpected response type {type}, "
+                "expected '{confirm}' (EVENT_CONFIRM)".format(
+                    type=response.response_type,
+                    confirm=Packet.EVENT_CONFIRM,
+                )
+            )
+
+        # issue command, and read any event messages
+        packet = Packet.request(command, message)
+        self.transport.send(packet)
+        exited = False
+        while True:
+            response = Packet.parse(self.transport.receive())
+            if response.response_type == Packet.EVENT:
+                if not exited:
+                    try:
+                        yield Message.deserialize(response.payload)
+                    except GeneratorExit:
+                        exited = True
+                        pass
+            else:
+                break
+
+        if response.response_type == Packet.CMD_RESPONSE:
+            command_response = Message.deserialize(response.payload)
+        else:
+            raise SessionException(
+                "Unexpected response type {type}, "
+                "expected '{response}' (CMD_RESPONSE)".format(
+                    type=response.response_type,
+                    response=Packet.CMD_RESPONSE
+                )
+            )
+
+        # unsubscribe from event stream
+        packet = Packet.unregister_event(event_stream_type)
+        response = self._communicate(packet)
+        if response.response_type != Packet.EVENT_CONFIRM:
+            raise SessionException(
+                "Unexpected response type {type}, "
+                "expected '{confirm}' (EVENT_CONFIRM)".format(
+                    type=response.response_type,
+                    confirm=Packet.EVENT_CONFIRM,
+                )
+            )
+
+        # evaluate command result, if any
+        if "success" in command_response:
+            if command_response["success"] != b"yes":
+                raise CommandException(
+                    "Command failed: {errmsg}".format(
+                        errmsg=command_response["errmsg"]
+                    )
+                )
diff --git a/src/libcharon/plugins/vici/python/vici/test/__init__.py b/src/libcharon/plugins/vici/python/vici/test/__init__.py
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/test/__init__.py
diff --git a/src/libcharon/plugins/vici/python/vici/test/test_protocol.py b/src/libcharon/plugins/vici/python/vici/test/test_protocol.py
new file mode 100644
index 000000000..a1f202d79
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/test/test_protocol.py
@@ -0,0 +1,144 @@
+import pytest
+
+from ..protocol import Packet, Message, FiniteStream
+from ..exception import DeserializationException
+
+
+class TestPacket(object):
+    # test data definitions for outgoing packet types
+    cmd_request = b"\x00\x0c" b"command_type"
+    cmd_request_msg = b"\x00\x07" b"command" b"payload"
+    event_register = b"\x03\x0a" b"event_type"
+    event_unregister = b"\x04\x0a" b"event_type"
+
+    # test data definitions for incoming packet types
+    cmd_response = b"\x01" b"reply"
+    cmd_unknown = b"\x02"
+    event_confirm = b"\x05"
+    event_unknown = b"\x06"
+    event = b"\x07\x03" b"log" b"message"
+
+    def test_request(self):
+        assert Packet.request("command_type") == self.cmd_request
+        assert Packet.request("command", b"payload") == self.cmd_request_msg
+
+    def test_register_event(self):
+        assert Packet.register_event("event_type") == self.event_register
+
+    def test_unregister_event(self):
+        assert Packet.unregister_event("event_type") == self.event_unregister
+
+    def test_parse(self):
+        parsed_cmd_response = Packet.parse(self.cmd_response)
+        assert parsed_cmd_response.response_type == Packet.CMD_RESPONSE
+        assert parsed_cmd_response.payload.getvalue() == self.cmd_response
+
+        parsed_cmd_unknown = Packet.parse(self.cmd_unknown)
+        assert parsed_cmd_unknown.response_type == Packet.CMD_UNKNOWN
+        assert parsed_cmd_unknown.payload.getvalue() == self.cmd_unknown
+
+        parsed_event_confirm = Packet.parse(self.event_confirm)
+        assert parsed_event_confirm.response_type == Packet.EVENT_CONFIRM
+        assert parsed_event_confirm.payload.getvalue() == self.event_confirm
+
+        parsed_event_unknown = Packet.parse(self.event_unknown)
+        assert parsed_event_unknown.response_type == Packet.EVENT_UNKNOWN
+        assert parsed_event_unknown.payload.getvalue() == self.event_unknown
+
+        parsed_event = Packet.parse(self.event)
+        assert parsed_event.response_type == Packet.EVENT
+        assert parsed_event.payload.getvalue() == self.event
+
+
+class TestMessage(object):
+    """Message (de)serialization test."""
+
+    # data definitions for test of de(serialization)
+    # serialized messages holding a section
+    ser_sec_unclosed = b"\x01\x08unclosed"
+    ser_sec_single = b"\x01\x07section\x02"
+    ser_sec_nested = b"\x01\x05outer\x01\x0asubsection\x02\x02"
+
+    # serialized messages holding a list
+    ser_list_invalid = b"\x04\x07invalid\x05\x00\x02e1\x02\x03sec\x06"
+    ser_list_0_item = b"\x04\x05empty\x06"
+    ser_list_1_item = b"\x04\x01l\x05\x00\x02e1\x06"
+    ser_list_2_item = b"\x04\x01l\x05\x00\x02e1\x05\x00\x02e2\x06"
+
+    # serialized messages with key value pairs
+    ser_kv_pair = b"\x03\x03key\x00\x05value"
+    ser_kv_zero = b"\x03\x0azerolength\x00\x00"
+
+    # deserialized messages holding a section
+    des_sec_single = { "section": {} }
+    des_sec_nested = { "outer": { "subsection": {} } }
+
+    # deserialized messages holding a list
+    des_list_0_item = { "empty": [] }
+    des_list_1_item = { "l": [ b"e1" ] }
+    des_list_2_item = { "l": [ b"e1", b"e2" ] }
+
+    # deserialized messages with key value pairs
+    des_kv_pair = { "key": b"value" }
+    des_kv_zero = { "zerolength": b"" }
+
+    def test_section_serialization(self):
+        assert Message.serialize(self.des_sec_single) == self.ser_sec_single
+        assert Message.serialize(self.des_sec_nested) == self.ser_sec_nested
+
+    def test_list_serialization(self):
+        assert Message.serialize(self.des_list_0_item) == self.ser_list_0_item
+        assert Message.serialize(self.des_list_1_item) == self.ser_list_1_item
+        assert Message.serialize(self.des_list_2_item) == self.ser_list_2_item
+
+    def test_key_serialization(self):
+        assert Message.serialize(self.des_kv_pair) == self.ser_kv_pair
+        assert Message.serialize(self.des_kv_zero) == self.ser_kv_zero
+
+    def test_section_deserialization(self):
+        single = Message.deserialize(FiniteStream(self.ser_sec_single))
+        nested = Message.deserialize(FiniteStream(self.ser_sec_nested))
+
+        assert single == self.des_sec_single
+        assert nested == self.des_sec_nested
+
+        with pytest.raises(DeserializationException):
+            Message.deserialize(FiniteStream(self.ser_sec_unclosed))
+
+    def test_list_deserialization(self):
+        l0 = Message.deserialize(FiniteStream(self.ser_list_0_item))
+        l1 = Message.deserialize(FiniteStream(self.ser_list_1_item))
+        l2 = Message.deserialize(FiniteStream(self.ser_list_2_item))
+
+        assert l0 == self.des_list_0_item
+        assert l1 == self.des_list_1_item
+        assert l2 == self.des_list_2_item
+
+        with pytest.raises(DeserializationException):
+            Message.deserialize(FiniteStream(self.ser_list_invalid))
+
+    def test_key_deserialization(self):
+        pair = Message.deserialize(FiniteStream(self.ser_kv_pair))
+        zerolength = Message.deserialize(FiniteStream(self.ser_kv_zero))
+
+        assert pair == self.des_kv_pair
+        assert zerolength == self.des_kv_zero
+
+    def test_roundtrip(self):
+        message = {
+            "key1": "value1",
+            "section1": {
+                "sub-section": {
+                    "key2": b"value2",
+                },
+                "list1": [ "item1", "item2" ],
+            },
+        }
+        serialized_message = FiniteStream(Message.serialize(message))
+        deserialized_message = Message.deserialize(serialized_message)
+
+        # ensure that list items and key values remain as undecoded bytes
+        deserialized_section = deserialized_message["section1"]
+        assert deserialized_message["key1"] == b"value1"
+        assert deserialized_section["sub-section"]["key2"] == b"value2"
+        assert deserialized_section["list1"] == [ b"item1", b"item2" ]
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.am b/src/libcharon/plugins/vici/ruby/Makefile.am
index ce38e1c3d..3e12f86cc 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.am
+++ b/src/libcharon/plugins/vici/ruby/Makefile.am
@@ -5,8 +5,10 @@ vici.gemspec: $(srcdir)/vici.gemspec.in
 	-e "s:@GEM_VERSION@:$(PACKAGE_VERSION):" \
 	$(srcdir)/vici.gemspec.in > $@
 
-vici-$(PACKAGE_VERSION).gem: vici.gemspec
-	$(GEM) build vici.gemspec
+vici-$(PACKAGE_VERSION).gem: vici.gemspec $(EXTRA_DIST)
+	(cd $(srcdir); $(GEM) build $(abs_builddir)/vici.gemspec)
+	[ "$(srcdir)" = "$(builddir)" ] || \
+		mv $(srcdir)/vici-$(PACKAGE_VERSION).gem $(builddir)
 
 all-local: vici-$(PACKAGE_VERSION).gem
 
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index c8a8c11fb..f37c09ea2 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -535,8 +540,10 @@ vici.gemspec: $(srcdir)/vici.gemspec.in
 	-e "s:@GEM_VERSION@:$(PACKAGE_VERSION):" \
 	$(srcdir)/vici.gemspec.in > $@
 
-vici-$(PACKAGE_VERSION).gem: vici.gemspec
-	$(GEM) build vici.gemspec
+vici-$(PACKAGE_VERSION).gem: vici.gemspec $(EXTRA_DIST)
+	(cd $(srcdir); $(GEM) build $(abs_builddir)/vici.gemspec)
+	[ "$(srcdir)" = "$(builddir)" ] || \
+		mv $(srcdir)/vici-$(PACKAGE_VERSION).gem $(builddir)
 
 all-local: vici-$(PACKAGE_VERSION).gem
 
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index e8a9ddca9..f87e46e69 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -243,6 +243,25 @@ module Vici
     end
 
     ##
+    # Receive data from socket, until len bytes read
+    def recv_all(len)
+      encoding = ""
+      while encoding.length < len do
+        encoding << @socket.recv(len - encoding.length)
+      end
+      encoding
+    end
+
+    ##
+    # Send data to socket, until all bytes sent
+    def send_all(encoding)
+      len = 0
+      while len < encoding.length do
+        len += @socket.send(encoding[len..-1], 0)
+      end
+    end
+
+    ##
     # Write a packet prefixed by its length over the transport socket. Type
     # specifies the message, the optional label and message get appended.
     def write(type, label, message)
@@ -253,15 +272,15 @@ module Vici
       if message
         encoding << message.encoding
       end
-      @socket.send([encoding.length + 1, type].pack("Nc") + encoding, 0)
+      send_all([encoding.length + 1, type].pack("Nc") + encoding)
     end
 
     ##
     # Read a packet from the transport socket. Returns the packet type, and
     # if available in the packet a label and the contained message.
     def read
-      len = @socket.recv(4).unpack("N")[0]
-      encoding = @socket.recv(len)
+      len = recv_all(4).unpack("N")[0]
+      encoding = recv_all(len)
       type = encoding.unpack("c")[0]
       len = 1
       case type
@@ -371,7 +390,10 @@ module Vici
   # during encoding.
   class Connection
 
-    def initialize(socket)
+    def initialize(socket = nil)
+      if socket == nil
+        socket = UNIXSocket.new("/var/run/charon.vici")
+      end
       @transp = Transport.new(socket)
     end
 
diff --git a/src/libcharon/plugins/vici/ruby/vici.gemspec.in b/src/libcharon/plugins/vici/ruby/vici.gemspec.in
index 5ad61c0a0..2bd2b3d88 100644
--- a/src/libcharon/plugins/vici/ruby/vici.gemspec.in
+++ b/src/libcharon/plugins/vici/ruby/vici.gemspec.in
@@ -2,7 +2,7 @@ Gem::Specification.new do |s|
   s.name          = "vici"
   s.version       = "@GEM_VERSION@"
   s.authors       = ["Martin Willi"]
-  s.email         = ["martin@strongswan.ch"]
+  s.email         = ["martin@strongswan.org"]
   s.description   = %q{
      The strongSwan VICI protocol allows external application to monitor,
      configure and control the IKE daemon charon. This ruby gem provides a
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index 2178116c9..f04bae774 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -93,7 +96,8 @@ static void pool_destroy(pool_t *pool)
  * Find an existing or not yet existing lease
  */
 static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools,
-					identification_t *id, host_t *requested, mem_pool_op_t op)
+						 identification_t *id, host_t *requested,
+						 mem_pool_op_t op, host_t *peer)
 {
 	enumerator_t *enumerator;
 	host_t *addr = NULL;
@@ -106,7 +110,8 @@ static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools,
 		pool = this->pools->get(this->pools, name);
 		if (pool)
 		{
-			addr = pool->vips->acquire_address(pool->vips, id, requested, op);
+			addr = pool->vips->acquire_address(pool->vips, id, requested,
+											   op, peer);
 			if (addr)
 			{
 				break;
@@ -119,20 +124,24 @@ static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools,
 }
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
-	private_vici_attribute_t *this, linked_list_t *pools, identification_t *id,
+	private_vici_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
 	host_t *requested)
 {
-	host_t *addr;
+	identification_t *id;
+	host_t *addr, *peer;
+
+	id = ike_sa->get_other_eap_id(ike_sa);
+	peer = ike_sa->get_other_host(ike_sa);
 
 	this->lock->read_lock(this->lock);
 
-	addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING);
+	addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING, peer);
 	if (!addr)
 	{
-		addr = find_addr(this, pools, id, requested, MEM_POOL_NEW);
+		addr = find_addr(this, pools, id, requested, MEM_POOL_NEW, peer);
 		if (!addr)
 		{
-			addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN);
+			addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN, peer);
 		}
 	}
 
@@ -143,13 +152,16 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 
 METHOD(attribute_provider_t, release_address, bool,
 	private_vici_attribute_t *this, linked_list_t *pools, host_t *address,
-	identification_t *id)
+	ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
+	identification_t *id;
 	bool found = FALSE;
 	pool_t *pool;
 	char *name;
 
+	id = ike_sa->get_other_eap_id(ike_sa);
+
 	this->lock->read_lock(this->lock);
 
 	enumerator = pools->create_enumerator(pools);
@@ -256,7 +268,7 @@ static bool have_vips_from_pool(mem_pool_t *pool, linked_list_t *vips)
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	private_vici_attribute_t *this, linked_list_t *pools,
-	identification_t *id, linked_list_t *vips)
+	ike_sa_t *ike_sa, linked_list_t *vips)
 {
 	enumerator_t *enumerator;
 	nested_data_t *data;
@@ -355,6 +367,24 @@ static vici_message_t* create_reply(char *fmt, ...)
 }
 
 /**
+ * Parse a range definition of an address pool
+ */
+static mem_pool_t *create_pool_range(char *name, char *buf)
+{
+	mem_pool_t *pool;
+	host_t *from, *to;
+
+	if (!host_create_from_range(buf, &from, &to))
+	{
+		return NULL;
+	}
+	pool = mem_pool_create_range(name, from, to);
+	from->destroy(from);
+	to->destroy(to);
+	return pool;
+}
+
+/**
  * Parse callback data, passed to each callback
  */
 typedef struct {
@@ -490,7 +520,8 @@ CALLBACK(pool_kv, bool,
 	if (streq(name, "addrs"))
 	{
 		char buf[128];
-		host_t *base;
+		mem_pool_t *pool;
+		host_t *base = NULL;
 		int bits;
 
 		if (data->pool->vips)
@@ -503,14 +534,22 @@ CALLBACK(pool_kv, bool,
 			data->request->reply = create_reply("invalid addrs value");
 			return FALSE;
 		}
-		base = host_create_from_subnet(buf, &bits);
-		if (!base)
+		pool = create_pool_range(data->name, buf);
+		if (!pool)
+		{
+			base = host_create_from_subnet(buf, &bits);
+			if (base)
+			{
+				pool = mem_pool_create(data->name, base, bits);
+				base->destroy(base);
+			}
+		}
+		if (!pool)
 		{
 			data->request->reply = create_reply("invalid addrs value: %s", buf);
 			return FALSE;
 		}
-		data->pool->vips = mem_pool_create(data->name, base, bits);
-		base->destroy(base);
+		data->pool->vips = pool;
 		return TRUE;
 	}
 	data->request->reply = create_reply("invalid attribute: %s", name);
diff --git a/src/libcharon/plugins/vici/vici_builder.c b/src/libcharon/plugins/vici/vici_builder.c
index 561632049..82f12c9da 100644
--- a/src/libcharon/plugins/vici/vici_builder.c
+++ b/src/libcharon/plugins/vici/vici_builder.c
@@ -84,6 +84,8 @@ METHOD(vici_builder_t, add, void,
 
 	if (value.len > 0xffff)
 	{
+		DBG1(DBG_ENC, "vici value exceeds size limit (%zu > %u)",
+			 value.len, 0xffff);
 		this->error++;
 		return;
 	}
@@ -125,24 +127,58 @@ METHOD(vici_builder_t, add, void,
 	}
 }
 
-METHOD(vici_builder_t, vadd_kv, void,
-	private_vici_builder_t *this, char *key, char *fmt, va_list args)
+/**
+ * Add a list item or a key/value, if key given
+ */
+static void vadd_kv_or_li(private_vici_builder_t *this, char *key,
+						  char *fmt, va_list args)
 {
-	char buf[2048];
+	u_char buf[512];
+	chunk_t value;
 	ssize_t len;
+	va_list copy;
 
-	len = vsnprintf(buf, sizeof(buf), fmt, args);
-	if (len < 0 || len >= sizeof(buf))
+	va_copy(copy, args);
+	len = vsnprintf(buf, sizeof(buf), fmt, copy);
+	va_end(copy);
+	if (len >= sizeof(buf))
 	{
-		DBG1(DBG_ENC, "vici builder format buffer exceeds limit");
+		value = chunk_alloc(len + 1);
+		len = vsnprintf(value.ptr, value.len, fmt, args);
+	}
+	else
+	{
+		value = chunk_create(buf, len);
+	}
+
+	if (len < 0)
+	{
+		DBG1(DBG_ENC, "vici builder format print failed");
 		this->error++;
 	}
 	else
 	{
-		add(this, VICI_KEY_VALUE, key, chunk_create(buf, len));
+		if (key)
+		{
+			add(this, VICI_KEY_VALUE, key, value);
+		}
+		else
+		{
+			add(this, VICI_LIST_ITEM, value);
+		}
+	}
+	if (value.ptr != buf)
+	{
+		free(value.ptr);
 	}
 }
 
+METHOD(vici_builder_t, vadd_kv, void,
+	private_vici_builder_t *this, char *key, char *fmt, va_list args)
+{
+	vadd_kv_or_li(this, key, fmt, args);
+}
+
 METHOD(vici_builder_t, add_kv, void,
 	private_vici_builder_t *this, char *key, char *fmt, ...)
 {
@@ -153,23 +189,10 @@ METHOD(vici_builder_t, add_kv, void,
 	va_end(args);
 }
 
-
 METHOD(vici_builder_t, vadd_li, void,
 	private_vici_builder_t *this, char *fmt, va_list args)
 {
-	char buf[2048];
-	ssize_t len;
-
-	len = vsnprintf(buf, sizeof(buf), fmt, args);
-	if (len < 0 || len >= sizeof(buf))
-	{
-		DBG1(DBG_ENC, "vici builder format buffer exceeds limit");
-		this->error++;
-	}
-	else
-	{
-		add(this, VICI_LIST_ITEM, chunk_create(buf, len));
-	}
+	vadd_kv_or_li(this, NULL, fmt, args);
 }
 
 METHOD(vici_builder_t, add_li, void,
@@ -206,6 +229,13 @@ METHOD(vici_builder_t, end_list, void,
 	add(this, VICI_LIST_END);
 }
 
+METHOD(vici_builder_t, destroy, void,
+	private_vici_builder_t *this)
+{
+	this->writer->destroy(this->writer);
+	free(this);
+}
+
 METHOD(vici_builder_t, finalize, vici_message_t*,
 	private_vici_builder_t *this)
 {
@@ -215,14 +245,12 @@ METHOD(vici_builder_t, finalize, vici_message_t*,
 	{
 		DBG1(DBG_ENC, "vici builder error: %u errors (section: %u, list %u)",
 			 this->error, this->section, this->list);
-		this->writer->destroy(this->writer);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	product = vici_message_create_from_data(
 								this->writer->extract_buf(this->writer), TRUE);
-	this->writer->destroy(this->writer);
-	free(this);
+	destroy(this);
 	return product;
 }
 
@@ -245,6 +273,7 @@ vici_builder_t *vici_builder_create()
 			.begin_list = _begin_list,
 			.end_list = _end_list,
 			.finalize = _finalize,
+			.destroy = _destroy,
 		},
 		.writer = bio_writer_create(0),
 	);
diff --git a/src/libcharon/plugins/vici/vici_builder.h b/src/libcharon/plugins/vici/vici_builder.h
index 5a5cc8a03..f7d21eb8f 100644
--- a/src/libcharon/plugins/vici/vici_builder.h
+++ b/src/libcharon/plugins/vici/vici_builder.h
@@ -119,6 +119,14 @@ struct vici_builder_t {
 	 * @return		vici message, NULL on error
 	 */
 	vici_message_t* (*finalize)(vici_builder_t *this);
+
+	/**
+	 * Destroy a vici builder without finalization.
+	 *
+	 * Note that finalize() already destroys the message, and calling destroy()
+	 * is required only if the message does not get finalize()d.
+	 */
+	void (*destroy)(vici_builder_t *this);
 };
 
 /**
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 113d48084..649161020 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -1551,8 +1551,8 @@ static void clear_start_action(private_vici_config_t *this,
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
-	u_int32_t reqid = 0, *del;
-	array_t *reqids = NULL;
+	u_int32_t id = 0, *del;
+	array_t *ids = NULL;
 	char *name;
 
 	name = child_cfg->get_name(child_cfg);
@@ -1568,23 +1568,23 @@ static void clear_start_action(private_vici_config_t *this,
 				{
 					if (streq(name, child_sa->get_name(child_sa)))
 					{
-						reqid = child_sa->get_reqid(child_sa);
-						array_insert_create(&reqids, ARRAY_TAIL, &reqid);
+						id = child_sa->get_unique_id(child_sa);
+						array_insert_create(&ids, ARRAY_TAIL, &id);
 					}
 				}
 				children->destroy(children);
 			}
 			enumerator->destroy(enumerator);
 
-			if (array_count(reqids))
+			if (array_count(ids))
 			{
-				while (array_remove(reqids, ARRAY_HEAD, &del))
+				while (array_remove(ids, ARRAY_HEAD, &del))
 				{
 					DBG1(DBG_CFG, "closing '%s' #%u", name, *del);
 					charon->controller->terminate_child(charon->controller,
 														*del, NULL, NULL, 0);
 				}
-				array_destroy(reqids);
+				array_destroy(ids);
 			}
 			break;
 		case ACTION_ROUTE:
@@ -1601,14 +1601,14 @@ static void clear_start_action(private_vici_config_t *this,
 					{
 						if (streq(name, child_sa->get_name(child_sa)))
 						{
-							reqid = child_sa->get_reqid(child_sa);
+							id = child_sa->get_reqid(child_sa);
 							break;
 						}
 					}
 					enumerator->destroy(enumerator);
-					if (reqid)
+					if (id)
 					{
-						charon->traps->uninstall(charon->traps, reqid);
+						charon->traps->uninstall(charon->traps, id);
 					}
 					break;
 			}
@@ -1751,7 +1751,8 @@ CALLBACK(config_sn, bool,
 		.fragmentation = FRAGMENTATION_NO,
 		.unique = UNIQUE_NO,
 		.keyingtries = 1,
-		.rekey_time = LFT_DEFAULT_IKE_REKEY,
+		.rekey_time = LFT_UNDEFINED,
+		.reauth_time = LFT_UNDEFINED,
 		.over_time = LFT_UNDEFINED,
 		.rand_time = LFT_UNDEFINED,
 	};
@@ -1809,6 +1810,20 @@ CALLBACK(config_sn, bool,
 		peer.local_port = charon->socket->get_port(charon->socket, FALSE);
 	}
 
+	if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
+	{
+		/* apply a default rekey time if no rekey/reauth time set */
+		peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
+		peer.reauth_time = 0;
+	}
+	if (peer.rekey_time == LFT_UNDEFINED)
+	{
+		peer.rekey_time = 0;
+	}
+	if (peer.reauth_time == LFT_UNDEFINED)
+	{
+		peer.reauth_time = 0;
+	}
 	if (peer.over_time == LFT_UNDEFINED)
 	{
 		/* default over_time to 10% of rekey/reauth time if not given */
@@ -1816,9 +1831,17 @@ CALLBACK(config_sn, bool,
 	}
 	if (peer.rand_time == LFT_UNDEFINED)
 	{
-		/* default rand_time to over_time if not given */
-		peer.rand_time = min(peer.over_time,
-							 max(peer.rekey_time, peer.reauth_time) / 2);
+		/* default rand_time to over_time if not given, but don't make it
+		 * longer than half of rekey/rauth time */
+		if (peer.rekey_time && peer.reauth_time)
+		{
+			peer.rand_time = min(peer.rekey_time, peer.reauth_time);
+		}
+		else
+		{
+			peer.rand_time = max(peer.rekey_time, peer.reauth_time);
+		}
+		peer.rand_time = min(peer.over_time, peer.rand_time / 2);
 	}
 
 	log_peer_data(&peer);
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 292a40032..01d503644 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -264,11 +264,11 @@ CALLBACK(terminate, vici_message_t*,
 				{
 					continue;
 				}
-				if (child_id && child_sa->get_reqid(child_sa) != child_id)
+				if (child_id && child_sa->get_unique_id(child_sa) != child_id)
 				{
 					continue;
 				}
-				current = child_sa->get_reqid(child_sa);
+				current = child_sa->get_unique_id(child_sa);
 				array_insert(ids, ARRAY_TAIL, &current);
 			}
 			csas->destroy(csas);
diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c
index 8881feca9..af8bd283b 100644
--- a/src/libcharon/plugins/vici/vici_plugin.c
+++ b/src/libcharon/plugins/vici/vici_plugin.c
@@ -23,7 +23,6 @@
 #include "vici_logger.h"
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 
 typedef struct private_vici_plugin_t private_vici_plugin_t;
@@ -104,8 +103,8 @@ static bool register_vici(private_vici_plugin_t *this,
 
 			charon->backends->add_backend(charon->backends,
 										  &this->config->backend);
-			hydra->attributes->add_provider(hydra->attributes,
-											&this->attrs->provider);
+			charon->attributes->add_provider(charon->attributes,
+											 &this->attrs->provider);
 			charon->bus->add_logger(charon->bus, &this->logger->logger);
 			return TRUE;
 		}
@@ -114,8 +113,8 @@ static bool register_vici(private_vici_plugin_t *this,
 	else
 	{
 		charon->bus->remove_logger(charon->bus, &this->logger->logger);
-		hydra->attributes->remove_provider(hydra->attributes,
-										   &this->attrs->provider);
+		charon->attributes->remove_provider(charon->attributes,
+											&this->attrs->provider);
 		charon->backends->remove_backend(charon->backends,
 										 &this->config->backend);
 
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 54833abde..3e0d73cdf 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -63,11 +63,13 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
 
+	b->add_kv(b, "uniqueid", "%u", child->get_unique_id(child));
 	b->add_kv(b, "reqid", "%u", child->get_reqid(child));
 	b->add_kv(b, "state", "%N", child_sa_state_names, child->get_state(child));
 	b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child));
 	if (child->get_state(child) == CHILD_INSTALLED ||
-		child->get_state(child) == CHILD_REKEYING)
+		child->get_state(child) == CHILD_REKEYING ||
+		child->get_state(child) == CHILD_REKEYED)
 	{
 		b->add_kv(b, "protocol", "%N", protocol_id_names,
 				  child->get_protocol(child));
@@ -507,11 +509,14 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b)
 		certificate_t *cert;
 		char *str;
 	} v;
+	char buf[32];
+	int i = 0;
 
 	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
 	while (enumerator->enumerate(enumerator, &auth))
 	{
-		b->begin_section(b, local ? "local" : "remote");
+		snprintf(buf, sizeof(buf), "%s-%d", local ? "local" : "remote", ++i);
+		b->begin_section(b, buf);
 
 		rules = auth->create_enumerator(auth);
 		while (rules->enumerate(rules, &rule, &v))
@@ -976,10 +981,10 @@ CALLBACK(stats, vici_message_t*,
 		struct mallinfo mi = mallinfo();
 
 		b->begin_section(b, "mallinfo");
-		b->add_kv(b, "sbrk", "%d", mi.arena);
-		b->add_kv(b, "mmap", "%d", mi.hblkhd);
-		b->add_kv(b, "used", "%d", mi.uordblks);
-		b->add_kv(b, "free", "%d", mi.fordblks);
+		b->add_kv(b, "sbrk", "%u", mi.arena);
+		b->add_kv(b, "mmap", "%u", mi.hblkhd);
+		b->add_kv(b, "used", "%u", mi.uordblks);
+		b->add_kv(b, "free", "%u", mi.fordblks);
 		b->end_section(b);
 	}
 #endif /* HAVE_MALLINFO */
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index b1cc1d118..e400d9f35 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index e393ee163..a9684455d 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index f0e772700..5170c924f 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index a4c1aaeb2..087f5b350 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 296ccaa1c..29441bcb5 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index fb480eee2..c8a9c17de 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -54,10 +57,10 @@ METHOD(job_t, execute, job_requeue_t,
 	private_adopt_children_job_t *this)
 {
 	identification_t *my_id, *other_id, *xauth;
-	host_t *me, *other;
+	host_t *me, *other, *vip;
 	peer_cfg_t *cfg;
-	linked_list_t *children;
-	enumerator_t *enumerator, *childenum;
+	linked_list_t *children, *vips;
+	enumerator_t *enumerator, *subenum;
 	ike_sa_id_t *id;
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
@@ -81,7 +84,8 @@ METHOD(job_t, execute, job_requeue_t,
 
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 
-		/* find old SA to adopt children from */
+		/* find old SA to adopt children and virtual IPs from */
+		vips = linked_list_create();
 		children = linked_list_create();
 		enumerator = charon->ike_sa_manager->create_id_enumerator(
 									charon->ike_sa_manager, my_id, xauth,
@@ -102,18 +106,29 @@ METHOD(job_t, execute, job_requeue_t,
 					other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) &&
 					cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))
 				{
-					childenum = ike_sa->create_child_sa_enumerator(ike_sa);
-					while (childenum->enumerate(childenum, &child_sa))
+					subenum = ike_sa->create_child_sa_enumerator(ike_sa);
+					while (subenum->enumerate(subenum, &child_sa))
 					{
-						ike_sa->remove_child_sa(ike_sa, childenum);
+						ike_sa->remove_child_sa(ike_sa, subenum);
 						children->insert_last(children, child_sa);
 					}
-					childenum->destroy(childenum);
-					if (children->get_count(children))
+					subenum->destroy(subenum);
+
+					subenum = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+					while (subenum->enumerate(subenum, &vip))
+					{
+						vips->insert_last(vips, vip->clone(vip));
+					}
+					subenum->destroy(subenum);
+					/* this does not release the addresses, which is good, but
+					 * it does trigger an assign_vips(FALSE) event, so we also
+					 * trigger one below */
+					ike_sa->clear_virtual_ips(ike_sa, FALSE);
+					if (children->get_count(children) || vips->get_count(vips))
 					{
 						DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
-							 "adopting %d children",
-							 children->get_count(children));
+							 "adopting %d children and %d virtual IPs",
+							 children->get_count(children), vips->get_count(vips));
 					}
 					ike_sa->set_state(ike_sa, IKE_DELETING);
 					charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
@@ -125,7 +140,7 @@ METHOD(job_t, execute, job_requeue_t,
 					charon->ike_sa_manager->checkin(
 											charon->ike_sa_manager, ike_sa);
 				}
-				if (children->get_count(children))
+				if (children->get_count(children) || vips->get_count(vips))
 				{
 					break;
 				}
@@ -140,7 +155,7 @@ METHOD(job_t, execute, job_requeue_t,
 		xauth->destroy(xauth);
 		cfg->destroy(cfg);
 
-		if (children->get_count(children))
+		if (children->get_count(children) || vips->get_count(vips))
 		{
 			/* adopt children by new SA */
 			ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
@@ -152,10 +167,27 @@ METHOD(job_t, execute, job_requeue_t,
 				{
 					ike_sa->add_child_sa(ike_sa, child_sa);
 				}
+				if (vips->get_count(vips))
+				{
+					while (vips->remove_first(vips, (void**)&vip) == SUCCESS)
+					{
+						ike_sa->add_virtual_ip(ike_sa, FALSE, vip);
+						vip->destroy(vip);
+					}
+					charon->bus->assign_vips(charon->bus, ike_sa, TRUE);
+				}
 				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 			}
 		}
 		children->destroy_offset(children, offsetof(child_sa_t, destroy));
+		/* FIXME: If we still have addresses here it means we weren't able to
+		 * find the new SA anymore (while not very likely during a proper
+		 * reauthentication, this theoretically could happen because the SA is
+		 * not locked while we search for the old one).  So the addresses here
+		 * should be released properly to avoid leaking these leases.  This is
+		 * currently not possible, though, due to the changed interface of
+		 * release_address(), which now takes a complete IKE_SA object. */
+		vips->destroy_offset(vips, offsetof(host_t, destroy));
 
 		if (array_count(this->tasks))
 		{
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c
index 9afbac02b..0d85883be 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.c
@@ -31,11 +31,6 @@ struct private_delete_child_sa_job_t {
 	delete_child_sa_job_t public;
 
 	/**
-	 * reqid of the CHILD_SA
-	 */
-	u_int32_t reqid;
-
-	/**
 	 * protocol of the CHILD_SA (ESP/AH)
 	 */
 	protocol_id_t protocol;
@@ -46,6 +41,11 @@ struct private_delete_child_sa_job_t {
 	u_int32_t spi;
 
 	/**
+	 * SA destination address
+	 */
+	host_t *dst;
+
+	/**
 	 * Delete for an expired CHILD_SA
 	 */
 	bool expired;
@@ -54,6 +54,7 @@ struct private_delete_child_sa_job_t {
 METHOD(job_t, destroy, void,
 	private_delete_child_sa_job_t *this)
 {
+	this->dst->destroy(this->dst);
 	free(this);
 }
 
@@ -62,12 +63,12 @@ METHOD(job_t, execute, job_requeue_t,
 {
 	ike_sa_t *ike_sa;
 
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
+	ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager,
+									this->protocol, this->spi, this->dst, NULL);
 	if (ike_sa == NULL)
 	{
-		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete",
-			 this->reqid);
+		DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for delete",
+			 protocol_id_names, this->protocol, htonl(this->spi), this->dst);
 	}
 	else
 	{
@@ -87,8 +88,8 @@ METHOD(job_t, get_priority, job_priority_t,
 /*
  * Described in header
  */
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
-							protocol_id_t protocol, u_int32_t spi, bool expired)
+delete_child_sa_job_t *delete_child_sa_job_create(protocol_id_t protocol,
+									u_int32_t spi, host_t *dst, bool expired)
 {
 	private_delete_child_sa_job_t *this;
 
@@ -100,12 +101,11 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
 				.destroy = _destroy,
 			},
 		},
-		.reqid = reqid,
 		.protocol = protocol,
 		.spi = spi,
+		.dst = dst->clone(dst),
 		.expired = expired,
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
index be6d578bc..6fa53644c 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -44,16 +44,13 @@ struct delete_child_sa_job_t {
 /**
  * Creates a job of type DELETE_CHILD_SA.
  *
- * The CHILD_SA is identified by its reqid, protocol (AH/ESP) and its
- * inbound SPI.
- *
- * @param reqid		reqid of the CHILD_SA, as used in kernel
  * @param protocol	protocol of the CHILD_SA
  * @param spi		security parameter index of the CHILD_SA
+ * @param dst		SA destination address
  * @param expired	TRUE if CHILD_SA already expired
  * @return			delete_child_sa_job_t object
  */
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
-							protocol_id_t protocol, u_int32_t spi, bool expired);
+delete_child_sa_job_t *delete_child_sa_job_create(protocol_id_t protocol,
+									u_int32_t spi, host_t *dst, bool expired);
 
 #endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c
index 9cdce5cab..4c88c13e2 100644
--- a/src/libcharon/processing/jobs/dpd_timeout_job.c
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.c
@@ -63,6 +63,12 @@ METHOD(job_t, execute, job_requeue_t,
 											  this->ike_sa_id);
 	if (ike_sa)
 	{
+		if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			return JOB_REQUEUE_NONE;
+		}
+
 		use_time = ike_sa->get_statistic(ike_sa, STAT_INBOUND);
 
 		enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 197733979..f0f90eedf 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -30,9 +30,9 @@ struct private_inactivity_job_t {
 	inactivity_job_t public;
 
 	/**
-	 * Reqid of CHILD_SA to check
+	 * Unique CHILD_SA identifier to check
 	 */
-	u_int32_t reqid;
+	u_int32_t id;
 
 	/**
 	 * Inactivity timeout
@@ -57,8 +57,8 @@ METHOD(job_t, execute, job_requeue_t,
 	ike_sa_t *ike_sa;
 	u_int32_t reschedule = 0;
 
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
+	ike_sa = charon->child_sa_manager->checkout_by_id(charon->child_sa_manager,
+													  this->id, NULL);
 	if (ike_sa)
 	{
 		enumerator_t *enumerator;
@@ -69,9 +69,9 @@ METHOD(job_t, execute, job_requeue_t,
 		status_t status = SUCCESS;
 
 		enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
-		while (enumerator->enumerate(enumerator, (void**)&child_sa))
+		while (enumerator->enumerate(enumerator, &child_sa))
 		{
-			if (child_sa->get_reqid(child_sa) == this->reqid)
+			if (child_sa->get_unique_id(child_sa) == this->id)
 			{
 				time_t in, out, install, diff;
 
@@ -136,7 +136,7 @@ METHOD(job_t, get_priority, job_priority_t,
 /**
  * See header
  */
-inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
+inactivity_job_t *inactivity_job_create(u_int32_t unique_id, u_int32_t timeout,
 										bool close_ike)
 {
 	private_inactivity_job_t *this;
@@ -149,7 +149,7 @@ inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
 				.destroy = _destroy,
 			},
 		},
-		.reqid = reqid,
+		.id = unique_id,
 		.timeout = timeout,
 		.close_ike = close_ike,
 	);
diff --git a/src/libcharon/processing/jobs/inactivity_job.h b/src/libcharon/processing/jobs/inactivity_job.h
index 890f7704b..ff19fe560 100644
--- a/src/libcharon/processing/jobs/inactivity_job.h
+++ b/src/libcharon/processing/jobs/inactivity_job.h
@@ -42,12 +42,12 @@ struct inactivity_job_t {
 /**
  * Create a inactivity_job instance.
  *
- * @param reqid		reqid of CHILD_SA to check for inactivity
+ * @param unique_id	unique CHILD_SA identifier to check for inactivity
  * @param timeout	inactivity timeout in s
  * @param close_ike	close IKE_SA if the last remaining CHILD_SA is inactive?
  * @return			inactivity checking job
  */
-inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
+inactivity_job_t *inactivity_job_create(u_int32_t unique_id, u_int32_t timeout,
 										bool close_ike);
 
 #endif /** INACTIVITY_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/initiate_tasks_job.c b/src/libcharon/processing/jobs/initiate_tasks_job.c
new file mode 100644
index 000000000..001e71fd1
--- /dev/null
+++ b/src/libcharon/processing/jobs/initiate_tasks_job.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "initiate_tasks_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_initiate_tasks_job_t private_initiate_tasks_job_t;
+
+/**
+ * Private data of an initiate_tasks_job_t Object
+ */
+struct private_initiate_tasks_job_t {
+
+	/**
+	 * Public initiate_tasks_job_t interface
+	 */
+	initiate_tasks_job_t public;
+
+	/**
+	 * ID of the IKE_SA to trigger task initiation
+	 */
+	ike_sa_id_t *ike_sa_id;
+};
+
+METHOD(job_t, destroy, void,
+	private_initiate_tasks_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+	private_initiate_tasks_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		if (ike_sa->initiate(ike_sa, NULL, 0, NULL, NULL) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_initiate_tasks_job_t *this)
+{
+	return JOB_PRIO_MEDIUM;
+}
+
+/*
+ * Described in header
+ */
+initiate_tasks_job_t *initiate_tasks_job_create(ike_sa_id_t *ike_sa_id)
+{
+	private_initiate_tasks_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/initiate_tasks_job.h b/src/libcharon/processing/jobs/initiate_tasks_job.h
new file mode 100644
index 000000000..071497843
--- /dev/null
+++ b/src/libcharon/processing/jobs/initiate_tasks_job.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup initiate_tasks_job initiate_tasks_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef INITIATE_TASKS_JOB_H_
+#define INITIATE_TASKS_JOB_H_
+
+typedef struct initiate_tasks_job_t initiate_tasks_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * Job triggering initiation of any queued IKE_SA tasks.
+ */
+struct initiate_tasks_job_t {
+
+	/**
+	 * Implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job to trigger IKE_SA task initiation.
+ *
+ * @param ike_sa_id		ID of IKE_SA to trigger tasks for (gets cloned)
+ * @return				job instance
+ */
+initiate_tasks_job_t *initiate_tasks_job_create(ike_sa_id_t *ike_sa_id);
+
+#endif /** INITIATE_TASKS_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c
index 2ebfc6714..097dbdffd 100644
--- a/src/libcharon/processing/jobs/migrate_job.c
+++ b/src/libcharon/processing/jobs/migrate_job.c
@@ -70,29 +70,34 @@ METHOD(job_t, destroy, void,
 METHOD(job_t, execute, job_requeue_t,
 	private_migrate_job_t *this)
 {
-	ike_sa_t *ike_sa = NULL;
+	enumerator_t *ike_sas, *children;
+	ike_sa_t *ike_sa;
 
-	if (this->reqid)
+	ike_sas = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager,
+														TRUE);
+	while (ike_sas->enumerate(ike_sas, &ike_sa))
 	{
-		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-														this->reqid, TRUE);
-	}
-	if (ike_sa)
-	{
-		enumerator_t *children, *enumerator;
-		child_sa_t *child_sa;
-		host_t *host;
+		child_sa_t *current, *child_sa = NULL;
 		linked_list_t *vips;
+		status_t status;
+		host_t *host;
 
 		children = ike_sa->create_child_sa_enumerator(ike_sa);
-		while (children->enumerate(children, (void**)&child_sa))
+		while (children->enumerate(children, &current))
 		{
-			if (child_sa->get_reqid(child_sa) == this->reqid)
+			if (current->get_reqid(current) == this->reqid)
 			{
+				child_sa = current;
 				break;
 			}
 		}
 		children->destroy(children);
+
+		if (!child_sa)
+		{
+			continue;
+		}
+
 		DBG2(DBG_JOB, "found CHILD_SA with reqid {%d}", this->reqid);
 
 		ike_sa->set_kmaddress(ike_sa, this->local, this->remote);
@@ -105,27 +110,28 @@ METHOD(job_t, execute, job_requeue_t,
 		host->set_port(host, IKEV2_UDP_PORT);
 		ike_sa->set_other_host(ike_sa, host);
 
-		vips = linked_list_create();
-		enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
-		while (enumerator->enumerate(enumerator, &host))
-		{
-			vips->insert_last(vips, host);
-		}
-		enumerator->destroy(enumerator);
+		vips = linked_list_create_from_enumerator(
+							ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE));
 
-		if (child_sa->update(child_sa, this->local, this->remote, vips,
-				ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
+		status = child_sa->update(child_sa, this->local, this->remote, vips,
+								  ike_sa->has_condition(ike_sa, COND_NAT_ANY));
+		switch (status)
 		{
-			ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
-								   child_sa->get_spi(child_sa, TRUE));
+			case NOT_SUPPORTED:
+				ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+									   child_sa->get_spi(child_sa, TRUE));
+				break;
+			case SUCCESS:
+				charon->child_sa_manager->remove(charon->child_sa_manager,
+												 child_sa);
+				charon->child_sa_manager->add(charon->child_sa_manager,
+											  child_sa, ike_sa);
+			default:
+				break;
 		}
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		vips->destroy(vips);
 	}
-	else
-	{
-		DBG1(DBG_JOB, "no CHILD_SA found with reqid {%d}", this->reqid);
-	}
+	ike_sas->destroy(ike_sas);
 	return JOB_REQUEUE_NONE;
 }
 
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
index 30c0ad0ac..0f2b9aaad 100644
--- a/src/libcharon/processing/jobs/migrate_job.h
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -46,7 +46,7 @@ struct migrate_job_t {
  *
  * We use the reqid or the traffic selectors to find a matching CHILD_SA.
  *
- * @param reqid		reqid of the CHILD_SA to acquire
+ * @param reqid		reqid of the CHILD_SA to migrate
  * @param src_ts	source traffic selector to be used in the policy
  * @param dst_ts	destination traffic selector to be used in the policy
  * @param dir		direction of the policy (in|out)
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c
index 1bf8dc0cb..8f17d39ab 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c
@@ -24,17 +24,13 @@ typedef struct private_rekey_child_sa_job_t private_rekey_child_sa_job_t;
  * Private data of an rekey_child_sa_job_t object.
  */
 struct private_rekey_child_sa_job_t {
+
 	/**
 	 * Public rekey_child_sa_job_t interface.
 	 */
 	rekey_child_sa_job_t public;
 
 	/**
-	 * reqid of the child to rekey
-	 */
-	u_int32_t reqid;
-
-	/**
 	 * protocol of the CHILD_SA (ESP/AH)
 	 */
 	protocol_id_t protocol;
@@ -43,11 +39,17 @@ struct private_rekey_child_sa_job_t {
 	 * inbound SPI of the CHILD_SA
 	 */
 	u_int32_t spi;
+
+	/**
+	 * SA destination address
+	 */
+	host_t *dst;
 };
 
 METHOD(job_t, destroy, void,
 	private_rekey_child_sa_job_t *this)
 {
+	this->dst->destroy(this->dst);
 	free(this);
 }
 
@@ -56,12 +58,12 @@ METHOD(job_t, execute, job_requeue_t,
 {
 	ike_sa_t *ike_sa;
 
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
+	ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager,
+									this->protocol, this->spi, this->dst, NULL);
 	if (ike_sa == NULL)
 	{
-		DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying",
-			 this->reqid);
+		DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for rekey",
+			 protocol_id_names, this->protocol, htonl(this->spi), this->dst);
 	}
 	else
 	{
@@ -80,9 +82,8 @@ METHOD(job_t, get_priority, job_priority_t,
 /*
  * Described in header
  */
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
-												protocol_id_t protocol,
-												u_int32_t spi)
+rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol,
+												u_int32_t spi, host_t *dst)
 {
 	private_rekey_child_sa_job_t *this;
 
@@ -94,9 +95,9 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
 				.destroy = _destroy,
 			},
 		},
-		.reqid = reqid,
 		.protocol = protocol,
 		.spi = spi,
+		.dst = dst->clone(dst),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h
index fcbe65a06..364bb5ae7 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.h
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h
@@ -43,15 +43,11 @@ struct rekey_child_sa_job_t {
 /**
  * Creates a job of type REKEY_CHILD_SA.
  *
- * The CHILD_SA is identified by its protocol (AH/ESP) and its
- * inbound SPI.
- *
- * @param reqid		reqid of the CHILD_SA to rekey
  * @param protocol	protocol of the CHILD_SA
  * @param spi		security parameter index of the CHILD_SA
+ * @param dst		SA destination address
  * @return			rekey_child_sa_job_t object
  */
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
-												protocol_id_t protocol,
-												u_int32_t spi);
+rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol,
+												u_int32_t spi, host_t *dst);
 #endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
index 516dc5dd5..403d826a3 100644
--- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
@@ -67,7 +67,8 @@ static u_int32_t get_retry_delay(ike_sa_t *ike_sa)
 		enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
 		while (enumerator->enumerate(enumerator, &child_sa))
 		{
-			if (child_sa->get_state(child_sa) != CHILD_INSTALLED)
+			if (child_sa->get_state(child_sa) != CHILD_INSTALLED &&
+				child_sa->get_state(child_sa) != CHILD_REKEYED)
 			{
 				retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
 				DBG1(DBG_IKE, "unable to reauthenticate in CHILD_SA %N state, "
diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c
index e6d7da2c6..862506d90 100644
--- a/src/libcharon/processing/jobs/update_sa_job.c
+++ b/src/libcharon/processing/jobs/update_sa_job.c
@@ -27,15 +27,26 @@ typedef struct private_update_sa_job_t private_update_sa_job_t;
  * Private data of an update_sa_job_t Object
  */
 struct private_update_sa_job_t {
+
 	/**
 	 * public update_sa_job_t interface
 	 */
 	update_sa_job_t public;
 
 	/**
-	 * reqid of the CHILD_SA
+	 * protocol of the CHILD_SA (ESP/AH)
+	 */
+	protocol_id_t protocol;
+
+	/**
+	 * SPI of the CHILD_SA
 	 */
-	u_int32_t reqid;
+	u_int32_t spi;
+
+	/**
+	 * Old SA destination address
+	 */
+	host_t *dst;
 
 	/**
 	 * New SA address and port
@@ -46,6 +57,7 @@ struct private_update_sa_job_t {
 METHOD(job_t, destroy, void,
 	private_update_sa_job_t *this)
 {
+	this->dst->destroy(this->dst);
 	this->new->destroy(this->new);
 	free(this);
 }
@@ -55,11 +67,12 @@ METHOD(job_t, execute, job_requeue_t,
 {
 	ike_sa_t *ike_sa;
 
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													this->reqid, TRUE);
+	ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager,
+									this->protocol, this->spi, this->dst, NULL);
 	if (ike_sa == NULL)
 	{
-		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for update", this->reqid);
+		DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for update",
+			 protocol_id_names, this->protocol, htonl(this->spi), this->dst);
 	}
 	else
 	{
@@ -78,7 +91,8 @@ METHOD(job_t, get_priority, job_priority_t,
 /*
  * Described in header
  */
-update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
+update_sa_job_t *update_sa_job_create(protocol_id_t protocol,
+									  u_int32_t spi, host_t *dst, host_t *new)
 {
 	private_update_sa_job_t *this;
 
@@ -90,10 +104,11 @@ update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
 				.destroy = _destroy,
 			},
 		},
-		.reqid = reqid,
-		.new = new,
+		.protocol = protocol,
+		.spi = spi,
+		.dst = dst->clone(dst),
+		.new = new->clone(new),
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index 55a3df83e..9c19f5b6e 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -26,6 +26,7 @@ typedef struct update_sa_job_t update_sa_job_t;
 #include <library.h>
 #include <networking/host.h>
 #include <processing/jobs/job.h>
+#include <config/proposal.h>
 
 /**
  * Update the addresses of an IKE and its CHILD_SAs.
@@ -41,10 +42,13 @@ struct update_sa_job_t {
 /**
  * Creates a job to update IKE and CHILD_SA addresses.
  *
- * @param reqid			reqid of the CHILD_SA
+ * @param protocol		IPsec protocol of SA to update
+ * @param spi			SPI of SA to update
+ * @param dst			old destination host of SA to update
  * @param new			new address and port
  * @return				update_sa_job_t object
  */
-update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new);
+update_sa_job_t *update_sa_job_create(protocol_id_t protocol,
+									  u_int32_t spi, host_t *dst, host_t *new);
 
 #endif /** UPDATE_SA_JOB_H_ @}*/
diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c
index 8571274ac..6c3681a2d 100644
--- a/src/libcharon/sa/authenticator.c
+++ b/src/libcharon/sa/authenticator.c
@@ -31,12 +31,14 @@ ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
 	"RSA signature",
 	"pre-shared key",
 	"DSS signature");
-ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_GSPM, AUTH_DSS,
+ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_DS, AUTH_DSS,
 	"ECDSA-256 signature",
 	"ECDSA-384 signature",
 	"ECDSA-521 signature",
-	"secure password method");
-ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_GSPM,
+	"secure password method",
+	"NULL authentication",
+	"digital signature");
+ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_DS,
 	"XAuthInitPSK",
 	"XAuthRespPSK",
 	"XAuthInitRSA",
@@ -99,6 +101,7 @@ authenticator_t *authenticator_create_verifier(
 		case AUTH_ECDSA_256:
 		case AUTH_ECDSA_384:
 		case AUTH_ECDSA_521:
+		case AUTH_DS:
 			return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
 										sent_nonce, received_init, reserved);
 		case AUTH_PSK:
diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h
index 914f42d9d..97c042e71 100644
--- a/src/libcharon/sa/authenticator.h
+++ b/src/libcharon/sa/authenticator.h
@@ -80,6 +80,16 @@ enum auth_method_t {
 	AUTH_GSPM = 12,
 
 	/**
+	 * NULL Authentication Method as specified in draft-ietf-ipsecme-ikev2-null-auth
+	 */
+	AUTH_NULL = 13,
+
+	/**
+	 * Digital Signature as specified in RFC 7427
+	 */
+	AUTH_DS = 14,
+
+	/**
 	 * IKEv1 initiator XAUTH with PSK, outside of IANA range
 	 */
 	AUTH_XAUTH_INIT_PSK = 256,
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index a96ab4e90..e0db2e655 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -34,6 +34,8 @@ ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
 	"INSTALLED",
 	"UPDATING",
 	"REKEYING",
+	"REKEYED",
+	"RETRYING",
 	"DELETING",
 	"DESTROYING",
 );
@@ -100,6 +102,16 @@ struct private_child_sa_t {
 	u_int32_t reqid;
 
 	/**
+	 * Did we allocate/confirm and must release the reqid?
+	 */
+	bool reqid_allocated;
+
+	/*
+	 * Unique CHILD_SA identifier
+	 */
+	u_int32_t unique_id;
+
+	/**
 	 * inbound mark used for this child_sa
 	 */
 	mark_t mark_in;
@@ -228,6 +240,12 @@ METHOD(child_sa_t, get_reqid, u_int32_t,
 	return this->reqid;
 }
 
+METHOD(child_sa_t, get_unique_id, u_int32_t,
+	private_child_sa_t *this)
+{
+	return this->unique_id;
+}
+
 METHOD(child_sa_t, get_config, child_cfg_t*,
 	   private_child_sa_t *this)
 {
@@ -602,7 +620,7 @@ METHOD(child_sa_t, alloc_spi, u_int32_t,
 {
 	if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
 										 this->other_addr, this->my_addr,
-										 proto_ike2ip(protocol), this->reqid,
+										 proto_ike2ip(protocol),
 										 &this->my_spi) == SUCCESS)
 	{
 		/* if we allocate a SPI, but then are unable to establish the SA, we
@@ -618,7 +636,7 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 {
 	if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
 										 this->other_addr, this->my_addr,
-										 this->reqid, &this->my_cpi) == SUCCESS)
+										 &this->my_cpi) == SUCCESS)
 	{
 		return this->my_cpi;
 	}
@@ -632,7 +650,7 @@ METHOD(child_sa_t, install, status_t,
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
 	u_int16_t esn = NO_EXT_SEQ_NUMBERS;
-	traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
+	linked_list_t *src_ts = NULL, *dst_ts = NULL;
 	time_t now;
 	lifetime_cfg_t *lifetime;
 	u_int32_t tfc = 0;
@@ -680,6 +698,18 @@ METHOD(child_sa_t, install, status_t,
 	this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
 								  &esn, NULL);
 
+	if (!this->reqid_allocated)
+	{
+		status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
+							my_ts, other_ts, this->mark_in, this->mark_out,
+							&this->reqid);
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+		this->reqid_allocated = TRUE;
+	}
+
 	lifetime = this->config->get_lifetime(this->config);
 
 	now = time_monotonic(NULL);
@@ -704,18 +734,16 @@ METHOD(child_sa_t, install, status_t,
 		lifetime->time.rekey = 0;
 	}
 
-	/* BEET requires the bound address from the traffic selectors.
-	 * TODO: We add just the first traffic selector for now, as the
-	 * kernel accepts a single TS per SA only */
+	/* BEET requires the bound address from the traffic selectors */
 	if (inbound)
 	{
-		my_ts->get_first(my_ts, (void**)&dst_ts);
-		other_ts->get_first(other_ts, (void**)&src_ts);
+		dst_ts = my_ts;
+		src_ts = other_ts;
 	}
 	else
 	{
-		my_ts->get_first(my_ts, (void**)&src_ts);
-		other_ts->get_first(other_ts, (void**)&dst_ts);
+		src_ts = my_ts;
+		dst_ts = other_ts;
 	}
 
 	status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
@@ -723,7 +751,7 @@ METHOD(child_sa_t, install, status_t,
 				inbound ? this->mark_in : this->mark_out, tfc,
 				lifetime, enc_alg, encr, int_alg, integ, this->mode,
 				this->ipcomp, cpi, this->config->get_replay_window(this->config),
-				initiator, this->encap, esn, update, src_ts, dst_ts);
+				initiator, this->encap, esn, inbound, update, src_ts, dst_ts);
 
 	free(lifetime);
 
@@ -798,6 +826,19 @@ METHOD(child_sa_t, add_policies, status_t,
 	traffic_selector_t *my_ts, *other_ts;
 	status_t status = SUCCESS;
 
+	if (!this->reqid_allocated)
+	{
+		/* trap policy, get or confirm reqid */
+		status = hydra->kernel_interface->alloc_reqid(
+							hydra->kernel_interface, my_ts_list, other_ts_list,
+							this->mark_in, this->mark_out, &this->reqid);
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+		this->reqid_allocated = TRUE;
+	}
+
 	/* apply traffic selectors */
 	enumerator = my_ts_list->create_enumerator(my_ts_list);
 	while (enumerator->enumerate(enumerator, &my_ts))
@@ -805,12 +846,15 @@ METHOD(child_sa_t, add_policies, status_t,
 		array_insert(this->my_ts, ARRAY_TAIL, my_ts->clone(my_ts));
 	}
 	enumerator->destroy(enumerator);
+	array_sort(this->my_ts, (void*)traffic_selector_cmp, NULL);
+
 	enumerator = other_ts_list->create_enumerator(other_ts_list);
 	while (enumerator->enumerate(enumerator, &other_ts))
 	{
 		array_insert(this->other_ts, ARRAY_TAIL, other_ts->clone(other_ts));
 	}
 	enumerator->destroy(enumerator);
+	array_sort(this->other_ts, (void*)traffic_selector_cmp, NULL);
 
 	if (this->config->install_policy(this->config))
 	{
@@ -1071,6 +1115,22 @@ METHOD(child_sa_t, destroy, void,
 
 	set_state(this, CHILD_DESTROYING);
 
+	if (this->config->install_policy(this->config))
+	{
+		/* delete all policies in the kernel */
+		enumerator = create_policy_enumerator(this);
+		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+		{
+			del_policies_internal(this, my_ts, other_ts, priority);
+			if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
+			{
+				del_policies_internal(this, my_ts, other_ts,
+									  POLICY_PRIORITY_FALLBACK);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
 	/* delete SAs in the kernel, if they are set up */
 	if (this->my_spi)
 	{
@@ -1087,20 +1147,13 @@ METHOD(child_sa_t, destroy, void,
 					this->mark_out);
 	}
 
-	if (this->config->install_policy(this->config))
+	if (this->reqid_allocated)
 	{
-		/* delete all policies in the kernel */
-		enumerator = create_policy_enumerator(this);
-		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+		if (hydra->kernel_interface->release_reqid(hydra->kernel_interface,
+						this->reqid, this->mark_in, this->mark_out) != SUCCESS)
 		{
-			del_policies_internal(this, my_ts, other_ts, priority);
-			if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
-			{
-				del_policies_internal(this, my_ts, other_ts,
-									  POLICY_PRIORITY_FALLBACK);
-			}
+			DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid);
 		}
-		enumerator->destroy(enumerator);
 	}
 
 	array_destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
@@ -1151,15 +1204,17 @@ static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
  * Described in header.
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
-							 child_cfg_t *config, u_int32_t rekey, bool encap)
+							 child_cfg_t *config, u_int32_t rekey, bool encap,
+							 u_int mark_in, u_int mark_out)
 {
-	static refcount_t reqid = 0;
 	private_child_sa_t *this;
+	static refcount_t unique_id = 0, unique_mark = 0, mark;
 
 	INIT(this,
 		.public = {
 			.get_name = _get_name,
 			.get_reqid = _get_reqid,
+			.get_unique_id = _get_unique_id,
 			.get_config = _get_config,
 			.get_state = _get_state,
 			.set_state = _set_state,
@@ -1201,6 +1256,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		.close_action = config->get_close_action(config),
 		.dpd_action = config->get_dpd_action(config),
 		.reqid = config->get_reqid(config),
+		.unique_id = ref_get(&unique_id),
 		.mark_in = config->get_mark(config, TRUE),
 		.mark_out = config->get_mark(config, FALSE),
 		.install_time = time_monotonic(NULL),
@@ -1209,9 +1265,37 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->config = config;
 	config->get_ref(config);
 
+	if (mark_in)
+	{
+		this->mark_in.value = mark_in;
+	}
+	if (mark_out)
+	{
+		this->mark_out.value = mark_out;
+	}
+	if (this->mark_in.value == MARK_UNIQUE ||
+		this->mark_out.value == MARK_UNIQUE)
+	{
+		mark = ref_get(&unique_mark);
+		if (this->mark_in.value == MARK_UNIQUE)
+		{
+			this->mark_in.value = mark;
+		}
+		if (this->mark_out.value == MARK_UNIQUE)
+		{
+			this->mark_out.value = mark;
+		}
+	}
+
 	if (!this->reqid)
 	{
-		/* reuse old reqid if we are rekeying an existing CHILD_SA */
+		/* reuse old reqid if we are rekeying an existing CHILD_SA. While the
+		 * reqid cache would find the same reqid for our selectors, this does
+		 * not work in a special case: If an SA is triggered by a trap policy,
+		 * but the negotiated SA gets narrowed, we still must reuse the same
+		 * reqid to successfully "trigger" the SA on the kernel level. Rekeying
+		 * such an SA requires an explicit reqid, as the cache currently knows
+		 * the original selectors only for that reqid. */
 		if (rekey)
 		{
 			this->reqid = rekey;
@@ -1219,22 +1303,9 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		else
 		{
 			this->reqid = charon->traps->find_reqid(charon->traps, config);
-			if (!this->reqid)
-			{
-				this->reqid = ref_get(&reqid);
-			}
 		}
 	}
 
-	if (this->mark_in.value == MARK_REQID)
-	{
-		this->mark_in.value = this->reqid;
-	}
-	if (this->mark_out.value == MARK_REQID)
-	{
-		this->mark_out.value = this->reqid;
-	}
-
 	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
 	if (config->get_mode(config) == MODE_TRANSPORT &&
 		config->use_proxy_mode(config))
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index a0c6c357f..debe8eb2c 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -68,6 +68,16 @@ enum child_sa_state_t {
 	CHILD_REKEYING,
 
 	/**
+	 * CHILD_SA that was rekeyed, but stays installed
+	 */
+	CHILD_REKEYED,
+
+	/**
+	 * CHILD_SA negotiation failed, but gets retried
+	 */
+	CHILD_RETRYING,
+
+	/**
 	 * CHILD_SA in progress of delete
 	 */
 	CHILD_DELETING,
@@ -121,6 +131,16 @@ struct child_sa_t {
 	u_int32_t (*get_reqid)(child_sa_t *this);
 
 	/**
+	 * Get the unique numerical identifier for this CHILD_SA.
+	 *
+	 * While the same reqid might be shared between multiple SAs, the unique_id
+	 * is truly unique for all CHILD_SA instances.
+	 *
+	 * @return			unique CHILD_SA identifier
+	 */
+	u_int32_t (*get_unique_id)(child_sa_t *this);
+
+	/**
 	 * Get the config used to set up this child sa.
 	 *
 	 * @return			child_cfg
@@ -379,9 +399,12 @@ struct child_sa_t {
  * @param config			config to use for this CHILD_SA
  * @param reqid				reqid of old CHILD_SA when rekeying, 0 otherwise
  * @param encap				TRUE to enable UDP encapsulation (NAT traversal)
+ * @param mark_in			explicit inbound mark value to use, 0 for config
+ * @param mark_out			explicit outbound mark value to use, 0 for config
  * @return					child_sa_t object
  */
 child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
-							 u_int32_t reqid, bool encap);
+							 u_int32_t reqid, bool encap,
+							 u_int mark_in, u_int mark_out);
 
 #endif /** CHILD_SA_H_ @}*/
diff --git a/src/libcharon/sa/child_sa_manager.c b/src/libcharon/sa/child_sa_manager.c
new file mode 100644
index 000000000..071a119da
--- /dev/null
+++ b/src/libcharon/sa/child_sa_manager.c
@@ -0,0 +1,333 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_sa_manager.h"
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <collections/hashtable.h>
+
+typedef struct private_child_sa_manager_t private_child_sa_manager_t;
+
+/**
+ * Private data of an child_sa_manager_t object.
+ */
+struct private_child_sa_manager_t {
+
+	/**
+	 * Public child_sa_manager_t interface.
+	 */
+	child_sa_manager_t public;
+
+	/**
+	 * CHILD_SAs by inbound SPI/dst, child_entry_t => child_entry_t
+	 */
+	hashtable_t *in;
+
+	/**
+	 * CHILD_SAs by outbound SPI/dst, child_entry_t => child_entry_t
+	 */
+	hashtable_t *out;
+
+	/**
+	 * CHILD_SAs by unique ID, child_entry_t => child_entry_t
+	 */
+	hashtable_t *ids;
+
+	/**
+	 * Mutex to access any hashtable
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Hashtable entry for a known CHILD_SA
+ */
+typedef struct {
+	/** the associated IKE_SA */
+	ike_sa_id_t *ike_id;
+	/** unique CHILD_SA identifier */
+	u_int32_t unique_id;
+	/** inbound SPI */
+	u_int32_t spi_in;
+	/** outbound SPI */
+	u_int32_t spi_out;
+	/** inbound host address */
+	host_t *host_in;
+	/** outbound host address and port */
+	host_t *host_out;
+	/** IPsec protocol, AH|ESP */
+	protocol_id_t proto;
+} child_entry_t;
+
+/**
+ * Destroy a CHILD_SA entry
+ */
+static void child_entry_destroy(child_entry_t *entry)
+{
+	entry->ike_id->destroy(entry->ike_id);
+	entry->host_in->destroy(entry->host_in);
+	entry->host_out->destroy(entry->host_out);
+	free(entry);
+}
+
+/**
+ * Hashtable hash function for inbound SAs
+ */
+static u_int hash_in(child_entry_t *entry)
+{
+	return chunk_hash_inc(chunk_from_thing(entry->spi_in),
+			chunk_hash_inc(entry->host_in->get_address(entry->host_in),
+			 chunk_hash(chunk_from_thing(entry->proto))));
+}
+
+/**
+ * Hashtable equals function for inbound SAs
+ */
+static bool equals_in(child_entry_t *a, child_entry_t *b)
+{
+	return a->spi_in == b->spi_in &&
+		   a->proto == b->proto &&
+		   a->host_in->ip_equals(a->host_in, b->host_in);
+}
+
+/**
+ * Hashtable hash function for outbound SAs
+ */
+static u_int hash_out(child_entry_t *entry)
+{
+	return chunk_hash_inc(chunk_from_thing(entry->spi_out),
+			chunk_hash_inc(entry->host_out->get_address(entry->host_out),
+			 chunk_hash(chunk_from_thing(entry->proto))));
+}
+
+/**
+ * Hashtable equals function for outbound SAs
+ */
+static bool equals_out(child_entry_t *a, child_entry_t *b)
+{
+	return a->spi_out == b->spi_out &&
+		   a->proto == b->proto &&
+		   a->host_out->ip_equals(a->host_out, b->host_out);
+}
+
+/**
+ * Hashtable hash function for SAs by unique ID
+ */
+static u_int hash_id(child_entry_t *entry)
+{
+	return chunk_hash(chunk_from_thing(entry->unique_id));
+}
+
+/**
+ * Hashtable equals function for SAs by unique ID
+ */
+static bool equals_id(child_entry_t *a, child_entry_t *b)
+{
+	return a->unique_id == b->unique_id;
+}
+
+METHOD(child_sa_manager_t, add, void,
+	private_child_sa_manager_t *this, child_sa_t *child_sa, ike_sa_t *ike_sa)
+{
+	child_entry_t *entry;
+	host_t *in, *out;
+	ike_sa_id_t *id;
+
+	id = ike_sa->get_id(ike_sa);
+	in = ike_sa->get_my_host(ike_sa);
+	out = ike_sa->get_other_host(ike_sa);
+
+	INIT(entry,
+		.ike_id = id->clone(id),
+		.unique_id = child_sa->get_unique_id(child_sa),
+		.proto = child_sa->get_protocol(child_sa),
+		.spi_in = child_sa->get_spi(child_sa, TRUE),
+		.spi_out = child_sa->get_spi(child_sa, FALSE),
+		.host_in = in->clone(in),
+		.host_out = out->clone(out),
+	);
+
+	this->mutex->lock(this->mutex);
+	if (!this->in->get(this->in, entry) &&
+		!this->out->get(this->out, entry))
+	{
+		this->in->put(this->in, entry, entry);
+		this->out->put(this->out, entry, entry);
+		entry = this->ids->put(this->ids, entry, entry);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (entry)
+	{
+		child_entry_destroy(entry);
+	}
+}
+
+METHOD(child_sa_manager_t, remove_, void,
+	private_child_sa_manager_t *this, child_sa_t *child_sa)
+{
+	child_entry_t *entry, key = {
+		.unique_id = child_sa->get_unique_id(child_sa),
+	};
+
+	this->mutex->lock(this->mutex);
+	entry = this->ids->remove(this->ids, &key);
+	if (entry)
+	{
+		this->in->remove(this->in, entry);
+		this->out->remove(this->out, entry);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (entry)
+	{
+		child_entry_destroy(entry);
+	}
+}
+
+/**
+ * Check out an IKE_SA for a given CHILD_SA
+ */
+static ike_sa_t *checkout_ikesa(private_child_sa_manager_t *this,
+					ike_sa_id_t *id, u_int32_t unique_id, child_sa_t **child_sa)
+{
+	enumerator_t *enumerator;
+	child_sa_t *current;
+	ike_sa_t *ike_sa;
+	bool found = FALSE;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
+	id->destroy(id);
+	if (ike_sa)
+	{
+		enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			found = current->get_unique_id(current) == unique_id;
+			if (found)
+			{
+				if (child_sa)
+				{
+					*child_sa = current;
+				}
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (found)
+		{
+			return ike_sa;
+		}
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	return NULL;
+}
+
+METHOD(child_sa_manager_t, checkout_by_id, ike_sa_t*,
+	private_child_sa_manager_t *this, u_int32_t unique_id,
+	child_sa_t **child_sa)
+{
+	ike_sa_id_t *id;
+	child_entry_t *entry, key = {
+		.unique_id = unique_id,
+	};
+
+	this->mutex->lock(this->mutex);
+	entry = this->ids->get(this->ids, &key);
+	if (entry)
+	{
+		id = entry->ike_id->clone(entry->ike_id);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (entry)
+	{
+		return checkout_ikesa(this, id, unique_id, child_sa);
+	}
+	return NULL;
+}
+
+METHOD(child_sa_manager_t, checkout, ike_sa_t*,
+	private_child_sa_manager_t *this, protocol_id_t protocol, u_int32_t spi,
+	host_t *dst, child_sa_t **child_sa)
+{
+	ike_sa_id_t *id;
+	u_int32_t unique_id;
+	child_entry_t *entry, key = {
+		.spi_in = spi,
+		.spi_out = spi,
+		.host_in = dst,
+		.host_out = dst,
+		.proto = protocol,
+	};
+
+	this->mutex->lock(this->mutex);
+	entry = this->in->get(this->in, &key);
+	if (!entry)
+	{
+		entry = this->out->get(this->out, &key);
+	}
+	if (entry)
+	{
+		unique_id = entry->unique_id;
+		id = entry->ike_id->clone(entry->ike_id);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (entry)
+	{
+		return checkout_ikesa(this, id, unique_id, child_sa);
+	}
+	return NULL;
+}
+
+METHOD(child_sa_manager_t, destroy, void,
+	private_child_sa_manager_t *this)
+{
+	this->in->destroy(this->in);
+	this->out->destroy(this->out);
+	this->ids->destroy(this->ids);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+child_sa_manager_t *child_sa_manager_create()
+{
+	private_child_sa_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.remove = _remove_,
+			.checkout = _checkout,
+			.checkout_by_id = _checkout_by_id,
+			.destroy = _destroy,
+		},
+		.in = hashtable_create((hashtable_hash_t)hash_in,
+							   (hashtable_equals_t)equals_in, 8),
+		.out = hashtable_create((hashtable_hash_t)hash_out,
+							   (hashtable_equals_t)equals_out, 8),
+		.ids = hashtable_create((hashtable_hash_t)hash_id,
+							   (hashtable_equals_t)equals_id, 8),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/child_sa_manager.h b/src/libcharon/sa/child_sa_manager.h
new file mode 100644
index 000000000..4d57528e8
--- /dev/null
+++ b/src/libcharon/sa/child_sa_manager.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_sa_manager child_sa_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef CHILD_SA_MANAGER_H_
+#define CHILD_SA_MANAGER_H_
+
+#include <sa/ike_sa.h>
+#include <sa/child_sa.h>
+
+typedef struct child_sa_manager_t child_sa_manager_t;
+
+/**
+ * Handle CHILD_SA to IKE_SA relations
+ */
+struct child_sa_manager_t {
+
+	/**
+	 * Register a CHILD_SA/IKE_SA relation.
+	 *
+	 * @param child_sa		CHILD_SA to register
+	 * @param ike_sa		IKE_SA owning the CHILD_SA
+	 */
+	void (*add)(child_sa_manager_t *this, child_sa_t *child_sa, ike_sa_t *ike_sa);
+
+	/**
+	 * Unregister a CHILD_SA/IKE_SA relation.
+	 *
+	 * @param child_sa		CHILD_SA to unregister
+	 */
+	void (*remove)(child_sa_manager_t *this, child_sa_t *child_sa);
+
+	/**
+	 * Find a CHILD_SA and check out the associated IKE_SA by SPI.
+	 *
+	 * On success, the returned IKE_SA must be checked in after use to
+	 * the IKE_SA manager.
+	 *
+	 * @param protocol		IPsec protocol, AH|ESP
+	 * @param spi			SPI of CHILD_SA to check out
+	 * @param dst			SA destination host related to SPI
+	 * @param child_sa		returns CHILD_SA managed by IKE_SA
+	 * @return				IKE_SA, NULL if not found
+	 */
+	ike_sa_t *(*checkout)(child_sa_manager_t *this,
+						  protocol_id_t protocol, u_int32_t spi, host_t *dst,
+						  child_sa_t **child_sa);
+
+	/**
+	 * Find a CHILD_SA and check out the associated IKE_SA by unique_id.
+	 *
+	 * On success, the returned IKE_SA must be checked in after use to
+	 * the IKE_SA manager.
+	 *
+	 * @param unique_id		unique ID of CHILD_SA to check out
+	 * @param child_sa		returns CHILD_SA managed by IKE_SA
+	 * @return				IKE_SA, NULL if not found
+	 */
+	ike_sa_t *(*checkout_by_id)(child_sa_manager_t *this, u_int32_t unique_id,
+								child_sa_t **child_sa);
+
+	/**
+	 * Destroy a child_sa_manager_t.
+	 */
+	void (*destroy)(child_sa_manager_t *this);
+};
+
+/**
+ * Create a child_sa_manager instance.
+ */
+child_sa_manager_t *child_sa_manager_create();
+
+#endif /** CHILD_SA_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
index 6242a5a6e..689c0f990 100644
--- a/src/libcharon/sa/eap/eap_method.h
+++ b/src/libcharon/sa/eap/eap_method.h
@@ -137,6 +137,18 @@ struct eap_method_t {
 	void (*set_identifier) (eap_method_t *this, u_int8_t identifier);
 
 	/**
+	 * Get authentication details performed by this EAP method.
+	 *
+	 * After EAP completion, the auth data contains additional information
+	 * of the authentication process, used certificates etc.
+	 * This method is optional to implement, but if it is, it must return
+	 * a valid auth_cfg.
+	 *
+	 * @return				auth method, internal data
+	 */
+	auth_cfg_t* (*get_auth)(eap_method_t *this);
+
+	/**
 	 * Destroys a eap_method_t object.
 	 */
 	void (*destroy) (eap_method_t *this);
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index d92b9df8e..3aafa4c13 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -932,6 +932,7 @@ METHOD(ike_sa_t, update_hosts, void,
 		/* update our address in any case */
 		if (force && !me->equals(me, this->my_host))
 		{
+			charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
 			set_my_host(this, me->clone(me));
 			update = TRUE;
 		}
@@ -945,6 +946,7 @@ METHOD(ike_sa_t, update_hosts, void,
 				(!has_condition(this, COND_NAT_HERE) ||
 				 !has_condition(this, COND_ORIGINAL_INITIATOR)))
 			{
+				charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
 				set_other_host(this, other->clone(other));
 				update = TRUE;
 			}
@@ -964,6 +966,10 @@ METHOD(ike_sa_t, update_hosts, void,
 		enumerator = array_create_enumerator(this->child_sas);
 		while (enumerator->enumerate(enumerator, &child_sa))
 		{
+			charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
+			charon->child_sa_manager->add(charon->child_sa_manager,
+										  child_sa, &this->public);
+
 			if (child_sa->update(child_sa, this->my_host, this->other_host,
 					vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
 			{
@@ -971,6 +977,7 @@ METHOD(ike_sa_t, update_hosts, void,
 						child_sa->get_protocol(child_sa),
 						child_sa->get_spi(child_sa, TRUE));
 			}
+
 		}
 		enumerator->destroy(enumerator);
 
@@ -1444,6 +1451,8 @@ METHOD(ike_sa_t, add_child_sa, void,
 	private_ike_sa_t *this, child_sa_t *child_sa)
 {
 	array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
+	charon->child_sa_manager->add(charon->child_sa_manager,
+								  child_sa, &this->public);
 }
 
 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
@@ -1471,16 +1480,58 @@ METHOD(ike_sa_t, get_child_count, int,
 	return array_count(this->child_sas);
 }
 
+/**
+ * Private data of a create_child_sa_enumerator()
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner array enumerator */
+	enumerator_t *inner;
+	/** current item */
+	child_sa_t *current;
+} child_enumerator_t;
+
+METHOD(enumerator_t, child_enumerate, bool,
+	child_enumerator_t *this, child_sa_t **child_sa)
+{
+	if (this->inner->enumerate(this->inner, &this->current))
+	{
+		*child_sa = this->current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, child_enumerator_destroy, void,
+	child_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
 	private_ike_sa_t *this)
 {
-	return array_create_enumerator(this->child_sas);
+	child_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_child_enumerate,
+			.destroy = _child_enumerator_destroy,
+		},
+		.inner = array_create_enumerator(this->child_sas),
+	);
+	return &enumerator->public;
 }
 
 METHOD(ike_sa_t, remove_child_sa, void,
 	private_ike_sa_t *this, enumerator_t *enumerator)
 {
-	array_remove_at(this->child_sas, enumerator);
+	child_enumerator_t *ce = (child_enumerator_t*)enumerator;
+
+	charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
+	array_remove_at(this->child_sas, ce->inner);
 }
 
 METHOD(ike_sa_t, rekey_child_sa, status_t,
@@ -1513,13 +1564,13 @@ METHOD(ike_sa_t, destroy_child_sa, status_t,
 	child_sa_t *child_sa;
 	status_t status = NOT_FOUND;
 
-	enumerator = array_create_enumerator(this->child_sas);
+	enumerator = create_child_sa_enumerator(this);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
 		if (child_sa->get_protocol(child_sa) == protocol &&
 			child_sa->get_spi(child_sa, TRUE) == spi)
 		{
-			array_remove_at(this->child_sas, enumerator);
+			remove_child_sa(this, enumerator);
 			child_sa->destroy(child_sa);
 			status = SUCCESS;
 			break;
@@ -1771,7 +1822,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 #endif /* ME */
 	{
 		/* handle existing CHILD_SAs */
-		enumerator = array_create_enumerator(this->child_sas);
+		enumerator = create_child_sa_enumerator(this);
 		while (enumerator->enumerate(enumerator, (void**)&child_sa))
 		{
 			if (has_condition(this, COND_REAUTHENTICATING))
@@ -1780,7 +1831,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 				{
 					case CHILD_ROUTED:
 					{	/* move routed child directly */
-						array_remove_at(this->child_sas, enumerator);
+						remove_child_sa(this, enumerator);
 						new->add_child_sa(new, child_sa);
 						action = ACTION_NONE;
 						break;
@@ -2209,6 +2260,12 @@ METHOD(ike_sa_t, inherit_post, void,
 		array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
 	}
 
+	/* MOBIKE additional addresses */
+	while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
+	{
+		array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
+	}
+
 	/* authentication information */
 	enumerator = array_create_enumerator(other->my_auths);
 	while (enumerator->enumerate(enumerator, &cfg))
@@ -2251,7 +2308,8 @@ METHOD(ike_sa_t, inherit_post, void,
 	/* adopt all children */
 	while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
 	{
-		array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
+		charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
+		add_child_sa(this, child_sa);
 	}
 
 	/* move pending tasks to the new IKE_SA */
@@ -2296,8 +2354,8 @@ METHOD(ike_sa_t, destroy, void,
 	{
 		if (entry.handler)
 		{
-			hydra->attributes->release(hydra->attributes, entry.handler,
-									   this->other_id, entry.type, entry.data);
+			charon->attributes->release(charon->attributes, entry.handler,
+										&this->public, entry.type, entry.data);
 		}
 		free(entry.data.ptr);
 	}
@@ -2305,6 +2363,7 @@ METHOD(ike_sa_t, destroy, void,
 	 * routes that the CHILD_SA tries to uninstall. */
 	while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
 	{
+		charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
 		child_sa->destroy(child_sa);
 	}
 	while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
@@ -2321,12 +2380,11 @@ METHOD(ike_sa_t, destroy, void,
 		if (this->peer_cfg)
 		{
 			linked_list_t *pools;
-			identification_t *id;
 
-			id = get_other_eap_id(this);
 			pools = linked_list_create_from_enumerator(
 						this->peer_cfg->create_pool_enumerator(this->peer_cfg));
-			hydra->attributes->release_address(hydra->attributes, pools, vip, id);
+			charon->attributes->release_address(charon->attributes,
+												pools, vip, &this->public);
 			pools->destroy(pools);
 		}
 		vip->destroy(vip);
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index c72d87367..9dbc805c9 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -131,6 +131,11 @@ enum ike_extension_t {
 	 * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation
 	 */
 	EXT_IKE_FRAGMENTATION = (1<<11),
+
+	/**
+	 * Signature Authentication, RFC 7427
+	 */
+	EXT_SIGNATURE_AUTH = (1<<12),
 };
 
 /**
@@ -936,8 +941,9 @@ struct ike_sa_t {
 	/**
 	 * Reauthenticate the IKE_SA.
 	 *
-	 * Create a completely new IKE_SA with authentication, recreates all children
-	 * within the IKE_SA, closes this IKE_SA.
+	 * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits
+	 * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs
+	 * in the new IKE_SA.
 	 *
 	 * @return				DESTROY_ME to destroy the IKE_SA
 	 */
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index bdabc59b5..13fc74ff7 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 
 	DBG2(DBG_MGR, "checkout IKE_SA by message");
 
-	if (id->get_responder_spi(id) == 0)
+	if (id->get_responder_spi(id) == 0 &&
+		message->get_message_id(message) == 0)
 	{
 		if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
 		{
@@ -1383,54 +1384,35 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 }
 
 METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
-	private_ike_sa_manager_t *this, u_int32_t id, bool child)
+	private_ike_sa_manager_t *this, u_int32_t id)
 {
-	enumerator_t *enumerator, *children;
+	enumerator_t *enumerator;
 	entry_t *entry;
 	ike_sa_t *ike_sa = NULL;
-	child_sa_t *child_sa;
 	u_int segment;
 
-	DBG2(DBG_MGR, "checkout IKE_SA by ID");
+	DBG2(DBG_MGR, "checkout IKE_SA by ID %u", id);
 
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
 		if (wait_for_entry(this, entry, segment))
 		{
-			/* look for a child with such a reqid ... */
-			if (child)
-			{
-				children = entry->ike_sa->create_child_sa_enumerator(entry->ike_sa);
-				while (children->enumerate(children, (void**)&child_sa))
-				{
-					if (child_sa->get_reqid(child_sa) == id)
-					{
-						ike_sa = entry->ike_sa;
-						break;
-					}
-				}
-				children->destroy(children);
-			}
-			else /* ... or for a IKE_SA with such a unique id */
-			{
-				if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
-				{
-					ike_sa = entry->ike_sa;
-				}
-			}
-			/* got one, return */
-			if (ike_sa)
+			if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
 			{
+				ike_sa = entry->ike_sa;
 				entry->checked_out = TRUE;
-				DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
-						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 				break;
 			}
 		}
 	}
 	enumerator->destroy(enumerator);
 
+	if (ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
+			 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+	}
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
@@ -1746,29 +1728,45 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
 }
 
 /**
- * Move all CHILD_SAs from old to new
+ * Move all CHILD_SAs and virtual IPs from old to new
  */
-static void adopt_children(ike_sa_t *old, ike_sa_t *new)
+static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new)
 {
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
+	host_t *vip;
+	int chcount = 0, vipcount = 0;
+
 
 	enumerator = old->create_child_sa_enumerator(old);
 	while (enumerator->enumerate(enumerator, &child_sa))
 	{
 		old->remove_child_sa(old, enumerator);
 		new->add_child_sa(new, child_sa);
+		chcount++;
 	}
 	enumerator->destroy(enumerator);
-}
 
-/**
- * Check if the replaced IKE_SA might get reauthenticated from host
- */
-static bool is_ikev1_reauth(ike_sa_t *duplicate, host_t *host)
-{
-	return duplicate->get_version(duplicate) == IKEV1 &&
-		   host->equals(host, duplicate->get_other_host(duplicate));
+	enumerator = old->create_virtual_ip_enumerator(old, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		new->add_virtual_ip(new, FALSE, vip);
+		vipcount++;
+	}
+	enumerator->destroy(enumerator);
+	/* this does not release the addresses, which is good, but it does trigger
+	 * an assign_vips(FALSE) event... */
+	old->clear_virtual_ips(old, FALSE);
+	/* ...trigger the analogous event on the new SA */
+	charon->bus->set_sa(charon->bus, new);
+	charon->bus->assign_vips(charon->bus, new, TRUE);
+	charon->bus->set_sa(charon->bus, old);
+
+	if (chcount || vipcount)
+	{
+		DBG1(DBG_IKE, "detected reauth of existing IKE_SA, adopting %d "
+			 "children and %d virtual IPs", chcount, vipcount);
+	}
 }
 
 /**
@@ -1780,13 +1778,20 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
 {
 	charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
 
-	if (is_ikev1_reauth(duplicate, host))
+	if (host->equals(host, duplicate->get_other_host(duplicate)))
 	{
 		/* looks like a reauthentication attempt */
-		adopt_children(duplicate, new);
+		if (!new->has_condition(new, COND_INIT_CONTACT_SEEN) &&
+			new->get_version(new) == IKEV1)
+		{
+			/* IKEv1 implicitly takes over children, IKEv2 recreates them
+			 * explicitly. */
+			adopt_children_and_vips(duplicate, new);
+		}
 		/* For IKEv1 we have to delay the delete for the old IKE_SA. Some
 		 * peers need to complete the new SA first, otherwise the quick modes
-		 * might get lost. */
+		 * might get lost. For IKEv2 we do the same, as we want overlapping
+		 * CHILD_SAs to keep connectivity up. */
 		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 			delete_ike_sa_job_create(duplicate->get_id(duplicate), TRUE), 10);
 		return SUCCESS;
@@ -1851,7 +1856,9 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 													 other, other_host);
 							break;
 						case UNIQUE_KEEP:
-							if (!is_ikev1_reauth(duplicate, other_host))
+							/* potential reauthentication? */
+							if (!other_host->equals(other_host,
+										duplicate->get_other_host(duplicate)))
 							{
 								cancel = TRUE;
 								/* we keep the first IKE_SA and delete all
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index a68ae7763..f259d8e56 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -129,19 +129,15 @@ struct ike_sa_manager_t {
 	/**
 	 * Check out an IKE_SA a unique ID.
 	 *
-	 * Every IKE_SA and every CHILD_SA is uniquely identified by an ID.
-	 * These checkout function uses, depending
-	 * on the child parameter, the unique ID of the IKE_SA or the reqid
-	 * of one of a IKE_SAs CHILD_SA.
+	 * Every IKE_SA is uniquely identified by a numerical ID. This checkout
+	 * function uses the unique ID of the IKE_SA to check it out.
 	 *
 	 * @param id				unique ID of the object
-	 * @param child				TRUE to use CHILD, FALSE to use IKE_SA
 	 * @return
 	 * 							- checked out IKE_SA, if found
 	 * 							- NULL, if not found
 	 */
-	ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id,
-								 bool child);
+	ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id);
 
 	/**
 	 * Check out an IKE_SA by the policy/connection name.
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
index aa966cd5f..bb187f07c 100644
--- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
@@ -74,7 +74,10 @@ METHOD(authenticator_t, build, status_t,
 	keymat_v1_t *keymat;
 	chunk_t hash, dh;
 
-	this->dh->get_my_public_value(this->dh, &dh);
+	if (!this->dh->get_my_public_value(this->dh, &dh))
+	{
+		return FAILED;
+	}
 	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
 					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
@@ -108,7 +111,10 @@ METHOD(authenticator_t, process, status_t,
 		return FAILED;
 	}
 
-	this->dh->get_my_public_value(this->dh, &dh);
+	if (!this->dh->get_my_public_value(this->dh, &dh))
+	{
+		return FAILED;
+	}
 	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
 					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
index bfe5ff449..52228ef2e 100644
--- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -94,7 +94,11 @@ METHOD(authenticator_t, build, status_t,
 		return NOT_FOUND;
 	}
 
-	this->dh->get_my_public_value(this->dh, &dh);
+	if (!this->dh->get_my_public_value(this->dh, &dh))
+	{
+		private->destroy(private);
+		return FAILED;
+	}
 	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
 					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
@@ -152,7 +156,10 @@ METHOD(authenticator_t, process, status_t,
 	}
 
 	id = this->ike_sa->get_other_id(this->ike_sa);
-	this->dh->get_my_public_value(this->dh, &dh);
+	if (!this->dh->get_my_public_value(this->dh, &dh))
+	{
+		return FAILED;
+	}
 	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
 					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index 619d197bd..f5a91dbeb 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -425,7 +425,7 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 		return FALSE;
 	}
 
-	if (dh->get_shared_secret(dh, &g_xy) != SUCCESS)
+	if (!dh->get_shared_secret(dh, &g_xy))
 	{
 		return FALSE;
 	}
@@ -560,7 +560,10 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 		return FALSE;
 	}
 
-	dh->get_my_public_value(dh, &dh_me);
+	if (!dh->get_my_public_value(dh, &dh_me))
+	{
+		return FALSE;
+	}
 	g_xi = this->initiator ? dh_me : dh_other;
 	g_xr = this->initiator ? dh_other : dh_me;
 
@@ -661,7 +664,7 @@ METHOD(keymat_v1_t, derive_child_keys, bool,
 	protocol = proposal->get_protocol(proposal);
 	if (dh)
 	{
-		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		if (!dh->get_shared_secret(dh, &secret))
 		{
 			return FALSE;
 		}
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index d01a831f8..c968b2a9c 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -694,7 +694,13 @@ METHOD(phase1_t, add_nonce_ke, bool,
 	nonce_gen_t *nonceg;
 	chunk_t nonce;
 
-	ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, this->dh);
+	ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE,
+													   this->dh);
+	if (!ke_payload)
+	{
+		DBG1(DBG_IKE, "creating KE payload failed");
+		return FALSE;
+	}
 	message->add_payload(message, &ke_payload->payload_interface);
 
 	nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
@@ -739,7 +745,11 @@ METHOD(phase1_t, get_nonce_ke, bool,
 		return FALSE;
 	}
 	this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
-	this->dh->set_other_public_value(this->dh, this->dh_value);
+	if (!this->dh->set_other_public_value(this->dh, this->dh_value))
+	{
+		DBG1(DBG_IKE, "unable to apply received KE value");
+		return FALSE;
+	}
 
 	nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE);
 	if (!nonce_payload)
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 0f8e8bc6d..cb22bf606 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1596,7 +1596,8 @@ static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
 				child_sa->get_lifetime(child_sa, FALSE))
 		{
 			DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}",
-				 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa));
+				 child_sa->get_name(child_sa),
+				 child_sa->get_unique_id(child_sa));
 			redundant = TRUE;
 			break;
 		}
@@ -1647,6 +1648,8 @@ METHOD(task_manager_t, queue_child_rekey, void,
 			task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
 				get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
 			task->use_reqid(task, child_sa->get_reqid(child_sa));
+			task->use_marks(task, child_sa->get_mark(child_sa, TRUE).value,
+							child_sa->get_mark(child_sa, FALSE).value);
 			task->rekey(task, child_sa->get_spi(child_sa, TRUE));
 
 			queue_task(this, &task->task);
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
index bea0428c4..a56805afb 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2011 Martin Willi
  * Copyright (C) 2011 revosec AG
  *
@@ -74,6 +77,42 @@ METHOD(task_t, process_i, status_t,
 METHOD(task_t, process_r, status_t,
 	private_isakmp_delete_t *this, message_t *message)
 {
+	enumerator_t *payloads;
+	payload_t *payload;
+	delete_payload_t *delete_payload;
+	ike_sa_id_t *id;
+	u_int64_t spi_i, spi_r;
+	bool found = FALSE;
+
+	/* some peers send DELETE payloads for other IKE_SAs, e.g. those for expired
+	 * ones after a rekeyeing, make sure the SPIs match */
+	id = this->ike_sa->get_id(this->ike_sa);
+	payloads = message->create_payload_enumerator(message);
+	while (payloads->enumerate(payloads, &payload))
+	{
+		if (payload->get_type(payload) == PLV1_DELETE)
+		{
+			delete_payload = (delete_payload_t*)payload;
+			if (!delete_payload->get_ike_spi(delete_payload, &spi_i, &spi_r))
+			{
+				continue;
+			}
+			if (id->get_initiator_spi(id) == spi_i &&
+				id->get_responder_spi(id) == spi_r)
+			{
+				found = TRUE;
+				break;
+			}
+		}
+	}
+	payloads->destroy(payloads);
+
+	if (!found)
+	{
+		DBG1(DBG_IKE, "received DELETE for different IKE_SA, ignored");
+		return SUCCESS;
+	}
+
 	DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa));
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 2fb4c6935..3ea4a2a85 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -205,6 +205,43 @@ static status_t send_delete(private_main_mode_t *this)
 	return ALREADY_DONE;
 }
 
+/**
+ * Add an INITIAL_CONTACT notify if first contact with peer
+ */
+static void add_initial_contact(private_main_mode_t *this, message_t *message,
+								identification_t *idi)
+{
+	identification_t *idr;
+	host_t *host;
+	notify_payload_t *notify;
+	ike_sa_id_t *ike_sa_id;
+	u_int64_t spi_i, spi_r;
+	chunk_t spi;
+
+	idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
+	if (idr && !idr->contains_wildcards(idr))
+	{
+		if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
+			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
+		{
+			host = this->ike_sa->get_other_host(this->ike_sa);
+			if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
+										idi, idr, host->get_family(host)))
+			{
+				notify = notify_payload_create_from_protocol_and_type(
+								PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1);
+				ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+				spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+				spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+				spi = chunk_cata("cc", chunk_from_thing(spi_i),
+								 chunk_from_thing(spi_r));
+				notify->set_spi_data(notify, spi);
+				message->add_payload(message, (payload_t*)notify);
+			}
+		}
+	}
+}
+
 METHOD(task_t, build_i, status_t,
 	private_main_mode_t *this, message_t *message)
 {
@@ -311,6 +348,8 @@ METHOD(task_t, build_i, status_t,
 				return send_notify(this, AUTHENTICATION_FAILED);
 			}
 
+			add_initial_contact(this, message, id);
+
 			this->state = MM_AUTH;
 			return NEED_MORE;
 		}
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index 94026b9af..d0994a961 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -16,7 +16,6 @@
 #include "mode_config.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <encoding/payloads/cp_payload.h>
 
 typedef struct private_mode_config_t private_mode_config_t;
@@ -136,9 +135,8 @@ static void handle_attribute(private_mode_config_t *this,
 	enumerator->destroy(enumerator);
 
 	/* and pass it to the handle function */
-	handler = hydra->attributes->handle(hydra->attributes,
-							this->ike_sa->get_other_id(this->ike_sa), handler,
-							ca->get_type(ca), ca->get_chunk(ca));
+	handler = charon->attributes->handle(charon->attributes,
+					this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca));
 	this->ike_sa->add_configuration_attribute(this->ike_sa,
 							handler, ca->get_type(ca), ca->get_chunk(ca));
 }
@@ -326,9 +324,8 @@ static status_t build_request(private_mode_config_t *this, message_t *message)
 		enumerator->destroy(enumerator);
 	}
 
-	enumerator = hydra->attributes->create_initiator_enumerator(
-								hydra->attributes,
-								this->ike_sa->get_other_id(this->ike_sa), vips);
+	enumerator = charon->attributes->create_initiator_enumerator(
+										charon->attributes, this->ike_sa, vips);
 	while (enumerator->enumerate(enumerator, &handler, &type, &data))
 	{
 		add_attribute(this, cp, type, data, handler);
@@ -353,7 +350,7 @@ static status_t build_set(private_mode_config_t *this, message_t *message)
 	cp_payload_t *cp;
 	peer_cfg_t *config;
 	identification_t *id;
-	linked_list_t *pools;
+	linked_list_t *pools, *migrated, *vips;
 	host_t *any4, *any6, *found;
 	char *name;
 
@@ -361,45 +358,62 @@ static status_t build_set(private_mode_config_t *this, message_t *message)
 
 	id = this->ike_sa->get_other_eap_id(this->ike_sa);
 	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	any4 = host_create_any(AF_INET);
-	any6 = host_create_any(AF_INET6);
 
+	/* if we migrated virtual IPs during reauthentication, reassign them */
+	migrated = linked_list_create_from_enumerator(
+						this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
+																   FALSE));
+	vips = migrated->clone_offset(migrated, offsetof(host_t, clone));
+	migrated->destroy(migrated);
 	this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
 
 	/* in push mode, we ask each configured pool for an address */
-	enumerator = config->create_pool_enumerator(config);
-	while (enumerator->enumerate(enumerator, &name))
+	if (!vips->get_count(vips))
 	{
-		pools = linked_list_create_with_items(name, NULL);
-		/* try IPv4, then IPv6 */
-		found = hydra->attributes->acquire_address(hydra->attributes,
-												   pools, id, any4);
-		if (!found)
-		{
-			found = hydra->attributes->acquire_address(hydra->attributes,
-													   pools, id, any6);
-		}
-		pools->destroy(pools);
-		if (found)
+		any4 = host_create_any(AF_INET);
+		any6 = host_create_any(AF_INET6);
+		enumerator = config->create_pool_enumerator(config);
+		while (enumerator->enumerate(enumerator, &name))
 		{
-			DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
-			this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
-			cp->add_attribute(cp, build_vip(found));
-			this->vips->insert_last(this->vips, found);
+			pools = linked_list_create_with_items(name, NULL);
+			/* try IPv4, then IPv6 */
+			found = charon->attributes->acquire_address(charon->attributes,
+													pools, this->ike_sa, any4);
+			if (!found)
+			{
+				found = charon->attributes->acquire_address(charon->attributes,
+													pools, this->ike_sa, any6);
+			}
+			pools->destroy(pools);
+			if (found)
+			{
+				vips->insert_last(vips, found);
+			}
 		}
+		enumerator->destroy(enumerator);
+		any4->destroy(any4);
+		any6->destroy(any6);
 	}
-	enumerator->destroy(enumerator);
 
-	any4->destroy(any4);
-	any6->destroy(any6);
+	enumerator = vips->create_enumerator(vips);
+	while (enumerator->enumerate(enumerator, &found))
+	{
+		DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
+		this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
+		cp->add_attribute(cp, build_vip(found));
+		this->vips->insert_last(this->vips, found);
+		vips->remove_at(vips, enumerator);
+	}
+	enumerator->destroy(enumerator);
+	vips->destroy(vips);
 
 	charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE);
 
 	/* query registered providers for additional attributes to include */
 	pools = linked_list_create_from_enumerator(
 									config->create_pool_enumerator(config));
-	enumerator = hydra->attributes->create_responder_enumerator(
-									hydra->attributes, pools, id, this->vips);
+	enumerator = charon->attributes->create_responder_enumerator(
+						charon->attributes, pools, this->ike_sa, this->vips);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
 		add_attribute(this, cp, type, value, NULL);
@@ -458,6 +472,28 @@ METHOD(task_t, process_r, status_t,
 }
 
 /**
+ * Assign a migrated virtual IP
+ */
+static host_t *assign_migrated_vip(linked_list_t *migrated, host_t *requested)
+{
+	enumerator_t *enumerator;
+	host_t *found = NULL, *vip;
+
+	enumerator = migrated->create_enumerator(migrated);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		if (vip->ip_equals(vip, requested))
+		{
+			migrated->remove_at(migrated, enumerator);
+			found = vip;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
  * Build CFG_REPLY message after receiving CFG_REQUEST
  */
 static status_t build_reply(private_mode_config_t *this, message_t *message)
@@ -468,29 +504,35 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
 	cp_payload_t *cp;
 	peer_cfg_t *config;
 	identification_t *id;
-	linked_list_t *vips, *pools;
-	host_t *requested;
+	linked_list_t *vips, *pools, *migrated;
+	host_t *requested, *found;
 
 	cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REPLY);
 
 	id = this->ike_sa->get_other_eap_id(this->ike_sa);
 	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	vips = linked_list_create();
 	pools = linked_list_create_from_enumerator(
 									config->create_pool_enumerator(config));
-
+	/* if we migrated virtual IPs during reauthentication, reassign them */
+	vips = linked_list_create_from_enumerator(
+						this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
+																   FALSE));
+	migrated = vips->clone_offset(vips, offsetof(host_t, clone));
+	vips->destroy(vips);
 	this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
 
+	vips = linked_list_create();
 	enumerator = this->vips->create_enumerator(this->vips);
 	while (enumerator->enumerate(enumerator, &requested))
 	{
-		host_t *found = NULL;
-
-		/* query all pools until we get an address */
 		DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
 
-		found = hydra->attributes->acquire_address(hydra->attributes,
-												   pools, id, requested);
+		found = assign_migrated_vip(migrated, requested);
+		if (!found)
+		{
+			found = charon->attributes->acquire_address(charon->attributes,
+											pools, this->ike_sa, requested);
+		}
 		if (found)
 		{
 			DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
@@ -509,8 +551,8 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
 	charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE);
 
 	/* query registered providers for additional attributes to include */
-	enumerator = hydra->attributes->create_responder_enumerator(
-											hydra->attributes, pools, id, vips);
+	enumerator = charon->attributes->create_responder_enumerator(
+								charon->attributes, pools, this->ike_sa, vips);
 	while (enumerator->enumerate(enumerator, &type, &value))
 	{
 		cp->add_attribute(cp,
@@ -518,6 +560,15 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
 												 type, value));
 	}
 	enumerator->destroy(enumerator);
+	/* if a client did not re-request all adresses, release them */
+	enumerator = migrated->create_enumerator(migrated);
+	while (enumerator->enumerate(enumerator, &found))
+	{
+		charon->attributes->release_address(charon->attributes,
+											pools, found, this->ike_sa);
+	}
+	enumerator->destroy(enumerator);
+	migrated->destroy_offset(migrated, offsetof(host_t, destroy));
 	vips->destroy_offset(vips, offsetof(host_t, destroy));
 	pools->destroy(pools);
 
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index 499081caa..1b95a8b11 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -105,7 +105,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
 		this->spi = spi = child_sa->get_spi(child_sa, TRUE);
 	}
 
-	rekeyed = child_sa->get_state(child_sa) == CHILD_REKEYING;
+	rekeyed = child_sa->get_state(child_sa) == CHILD_REKEYED;
 	child_sa->set_state(child_sa, CHILD_DELETING);
 
 	my_ts = linked_list_create_from_enumerator(
@@ -116,7 +116,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
 	{
 		DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
 			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			 child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
 			 ntohl(child_sa->get_spi(child_sa, TRUE)),
 			 ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
 	}
@@ -127,7 +127,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
 
 		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs "
 			 "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
-			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			 child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
 			 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
 			 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
 			 my_ts, other_ts);
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 1133aab65..96edfd8d8 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -156,6 +156,16 @@ struct private_quick_mode_t {
 	u_int32_t reqid;
 
 	/**
+	 * Explicit inbound mark value to use, if any
+	 */
+	u_int mark_in;
+
+	/**
+	 * Explicit inbound mark value to use, if any
+	 */
+	u_int mark_out;
+
+	/**
 	 * SPI of SA we rekey
 	 */
 	u_int32_t rekey;
@@ -196,8 +206,8 @@ static void schedule_inactivity_timeout(private_quick_mode_t *this)
 		close_ike = lib->settings->get_bool(lib->settings,
 									"%s.inactivity_close_ike", FALSE, lib->ns);
 		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
-				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
-									  timeout, close_ike), timeout);
+			inactivity_job_create(this->child_sa->get_unique_id(this->child_sa),
+								  timeout, close_ike), timeout);
 	}
 }
 
@@ -375,7 +385,7 @@ static bool install(private_quick_mode_t *this)
 	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
 		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
 		 this->child_sa->get_name(this->child_sa),
-		 this->child_sa->get_reqid(this->child_sa),
+		 this->child_sa->get_unique_id(this->child_sa),
 		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
 		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
 
@@ -391,15 +401,14 @@ static bool install(private_quick_mode_t *this)
 	if (old)
 	{
 		charon->bus->child_rekey(charon->bus, old, this->child_sa);
+		/* rekeyed CHILD_SAs stay installed until they expire */
+		old->set_state(old, CHILD_REKEYED);
 	}
 	else
 	{
 		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
 	}
-	if (!this->rekey)
-	{
-		schedule_inactivity_timeout(this);
-	}
+	schedule_inactivity_timeout(this);
 	this->child_sa = NULL;
 	return TRUE;
 }
@@ -456,12 +465,19 @@ static bool get_nonce(private_quick_mode_t *this, chunk_t *nonce,
 /**
  * Add KE payload to message
  */
-static void add_ke(private_quick_mode_t *this, message_t *message)
+static bool add_ke(private_quick_mode_t *this, message_t *message)
 {
 	ke_payload_t *ke_payload;
 
-	ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, this->dh);
+	ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE,
+													   this->dh);
+	if (!ke_payload)
+	{
+		DBG1(DBG_IKE, "creating KE payload failed");
+		return FALSE;
+	}
 	message->add_payload(message, &ke_payload->payload_interface);
+	return TRUE;
 }
 
 /**
@@ -477,8 +493,12 @@ static bool get_ke(private_quick_mode_t *this, message_t *message)
 		DBG1(DBG_IKE, "KE payload missing");
 		return FALSE;
 	}
-	this->dh->set_other_public_value(this->dh,
-								ke_payload->get_key_exchange_data(ke_payload));
+	if (!this->dh->set_other_public_value(this->dh,
+								ke_payload->get_key_exchange_data(ke_payload)))
+	{
+		DBG1(DBG_IKE, "unable to apply received KE value");
+		return FALSE;
+	}
 	return TRUE;
 }
 
@@ -788,7 +808,8 @@ METHOD(task_t, build_i, status_t,
 			this->child_sa = child_sa_create(
 									this->ike_sa->get_my_host(this->ike_sa),
 									this->ike_sa->get_other_host(this->ike_sa),
-									this->config, this->reqid, this->udp);
+									this->config, this->reqid, this->udp,
+									this->mark_in, this->mark_out);
 
 			if (this->udp && this->mode == MODE_TRANSPORT)
 			{
@@ -870,7 +891,10 @@ METHOD(task_t, build_i, status_t,
 			}
 			if (group != MODP_NONE)
 			{
-				add_ke(this, message);
+				if (!add_ke(this, message))
+				{
+					return FAILED;
+				}
 			}
 			if (!this->tsi)
 			{
@@ -964,6 +988,7 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
 			{
 				case CHILD_INSTALLED:
 				case CHILD_REKEYING:
+				case CHILD_REKEYED:
 					policies = child_sa->create_policy_enumerator(child_sa);
 					if (policies->enumerate(policies, &local, &remote) &&
 						local->equals(local, this->tsr) &&
@@ -972,9 +997,14 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
 					{
 						this->reqid = child_sa->get_reqid(child_sa);
 						this->rekey = child_sa->get_spi(child_sa, TRUE);
+						this->mark_in = child_sa->get_mark(child_sa,
+															TRUE).value;
+						this->mark_out = child_sa->get_mark(child_sa,
+															FALSE).value;
 						child_sa->set_state(child_sa, CHILD_REKEYING);
 						DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
-							 child_sa->get_name(child_sa), this->reqid);
+							 child_sa->get_name(child_sa),
+							 child_sa->get_unique_id(child_sa));
 					}
 					policies->destroy(policies);
 				break;
@@ -1097,7 +1127,8 @@ METHOD(task_t, process_r, status_t,
 			this->child_sa = child_sa_create(
 									this->ike_sa->get_my_host(this->ike_sa),
 									this->ike_sa->get_other_host(this->ike_sa),
-									this->config, this->reqid, this->udp);
+									this->config, this->reqid, this->udp,
+									this->mark_in, this->mark_out);
 
 			tsi = linked_list_create_with_items(this->tsi, NULL);
 			tsr = linked_list_create_with_items(this->tsr, NULL);
@@ -1202,7 +1233,10 @@ METHOD(task_t, build_r, status_t,
 			}
 			if (this->dh)
 			{
-				add_ke(this, message);
+				if (!add_ke(this, message))
+				{
+					return FAILED;
+				}
 			}
 
 			add_ts(this, message);
@@ -1307,6 +1341,13 @@ METHOD(quick_mode_t, use_reqid, void,
 	this->reqid = reqid;
 }
 
+METHOD(quick_mode_t, use_marks, void,
+	private_quick_mode_t *this, u_int in, u_int out)
+{
+	this->mark_in = in;
+	this->mark_out = out;
+}
+
 METHOD(quick_mode_t, rekey, void,
 	private_quick_mode_t *this, u_int32_t spi)
 {
@@ -1334,6 +1375,8 @@ METHOD(task_t, migrate, void,
 	this->dh = NULL;
 	this->spi_i = 0;
 	this->spi_r = 0;
+	this->mark_in = 0;
+	this->mark_out = 0;
 
 	if (!this->initiator)
 	{
@@ -1372,6 +1415,7 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
 				.destroy = _destroy,
 			},
 			.use_reqid = _use_reqid,
+			.use_marks = _use_marks,
 			.rekey = _rekey,
 		},
 		.ike_sa = ike_sa,
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h
index 0b80cb836..ee9b64d13 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h
@@ -45,6 +45,14 @@ struct quick_mode_t {
 	void (*use_reqid)(quick_mode_t *this, u_int32_t reqid);
 
 	/**
+	 * Use specific mark values, overriding configuration.
+	 *
+	 * @param in			inbound mark value
+	 * @param out			outbound mark value
+	 */
+	void (*use_marks)(quick_mode_t *this, u_int in, u_int out);
+
+	/**
 	 * Set the SPI of the old SA, if rekeying.
 	 *
 	 * @param spi			spi of SA to rekey
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index eed6d1996..ebef31930 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -522,6 +522,13 @@ METHOD(authenticator_t, process_server, status_t,
 		{
 			return FAILED;
 		}
+		if (this->method->get_auth)
+		{
+			auth_cfg_t *auth;
+
+			auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+			auth->merge(auth, this->method->get_auth(this->method), FALSE);
+		}
 		return NEED_MORE;
 	}
 
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 6fb14bc06..151b49718 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -20,6 +20,9 @@
 #include <daemon.h>
 #include <encoding/payloads/auth_payload.h>
 #include <sa/ikev2/keymat_v2.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <collections/array.h>
 
 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
 
@@ -52,83 +55,303 @@ struct private_pubkey_authenticator_t {
 	 * Reserved bytes of ID payload
 	 */
 	char reserved[3];
+
+	/**
+	 * Whether to store signature schemes on remote auth configs.
+	 */
+	bool store_signature_scheme;
 };
 
-METHOD(authenticator_t, build, status_t,
-	private_pubkey_authenticator_t *this, message_t *message)
+/**
+ * Parse authentication data used for Signature Authentication as per RFC 7427
+ */
+static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
+									  signature_scheme_t *scheme)
 {
-	chunk_t octets = chunk_empty, auth_data;
-	status_t status = FAILED;
-	private_key_t *private;
-	identification_t *id;
-	auth_cfg_t *auth;
-	auth_payload_t *auth_payload;
-	auth_method_t auth_method;
+	u_int8_t len;
+	int oid;
+
+	if (!auth_data->len)
+	{
+		return FALSE;
+	}
+	len = auth_data->ptr[0];
+	*auth_data = chunk_skip(*auth_data, 1);
+	/* we currently don't support schemes that require parameters */
+	oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL);
+	*scheme = signature_scheme_from_oid(oid);
+	if (*scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+	*key_type = key_type_from_signature_scheme(*scheme);
+	*auth_data = chunk_skip(*auth_data, len);
+	return TRUE;
+}
+
+/**
+ * Build authentication data used for Signature Authentication as per RFC 7427
+ */
+static bool build_signature_auth_data(chunk_t *auth_data,
+									  signature_scheme_t scheme)
+{
+	chunk_t data;
+	u_int8_t len;
+	int oid;
+
+	oid = signature_scheme_to_oid(scheme);
+	if (oid == OID_UNKNOWN)
+	{
+		return FALSE;
+	}
+	data = asn1_algorithmIdentifier(oid);
+	len = data.len;
+	*auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
+	return TRUE;
+}
+
+/**
+ * Selects possible signature schemes based on our configuration, the other
+ * peer's capabilities and the private key
+ */
+static array_t *select_signature_schemes(keymat_v2_t *keymat,
+									auth_cfg_t *auth, private_key_t *private)
+{
+	enumerator_t *enumerator;
 	signature_scheme_t scheme;
+	uintptr_t config;
+	auth_rule_t rule;
+	key_type_t key_type;
+	bool have_config = FALSE;
+	array_t *selected;
+
+	selected = array_create(sizeof(signature_scheme_t), 0);
+	key_type = private->get_type(private);
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &rule, &config))
+	{
+		if (rule != AUTH_RULE_SIGNATURE_SCHEME)
+		{
+			continue;
+		}
+		have_config = TRUE;
+		if (key_type == key_type_from_signature_scheme(config) &&
+			keymat->hash_algorithm_supported(keymat,
+										hasher_from_signature_scheme(config)))
+		{
+			scheme = config;
+			array_insert(selected, ARRAY_TAIL, &scheme);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!have_config)
+	{
+		/* if no specific configuration, find schemes appropriate for the key
+		 * and supported by the other peer */
+		enumerator = signature_schemes_for_key(key_type,
+											   private->get_keysize(private));
+		while (enumerator->enumerate(enumerator, &scheme))
+		{
+			if (keymat->hash_algorithm_supported(keymat,
+										hasher_from_signature_scheme(scheme)))
+			{
+				array_insert(selected, ARRAY_TAIL, &scheme);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* for RSA we tried at least SHA-512, also try other schemes down to
+		 * what we'd use with classic authentication */
+		if (key_type == KEY_RSA)
+		{
+			signature_scheme_t schemes[] = {
+				SIGN_RSA_EMSA_PKCS1_SHA384,
+				SIGN_RSA_EMSA_PKCS1_SHA256,
+				SIGN_RSA_EMSA_PKCS1_SHA1,
+			}, contained;
+			bool found;
+			int i, j;
+
+			for (i = 0; i < countof(schemes); i++)
+			{
+				scheme = schemes[i];
+				found = FALSE;
+				for (j = 0; j < array_count(selected); j++)
+				{
+					array_get(selected, j, &contained);
+					if (scheme == contained)
+					{
+						found = TRUE;
+						break;
+					}
+				}
+				if (!found && keymat->hash_algorithm_supported(keymat,
+										hasher_from_signature_scheme(scheme)))
+				{
+					array_insert(selected, ARRAY_TAIL, &scheme);
+				}
+			}
+		}
+	}
+	return selected;
+}
+
+/**
+ * Create a signature using RFC 7427 signature authentication
+ */
+static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
+							auth_cfg_t *auth, private_key_t *private,
+							identification_t *id, chunk_t *auth_data)
+{
+	enumerator_t *enumerator;
 	keymat_v2_t *keymat;
+	signature_scheme_t scheme = SIGN_UNKNOWN, *schemep;
+	array_t *schemes;
+	chunk_t octets = chunk_empty;
+	status_t status = FAILED;
 
-	id = this->ike_sa->get_my_id(this->ike_sa);
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
-	if (private == NULL)
+	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+	schemes = select_signature_schemes(keymat, auth, private);
+	if (!array_count(schemes))
 	{
-		DBG1(DBG_IKE, "no private key found for '%Y'", id);
-		return NOT_FOUND;
+		DBG1(DBG_IKE, "no common hash algorithm found to create signature "
+			 "with %N key", key_type_names, private->get_type(private));
+		array_destroy(schemes);
+		return FAILED;
 	}
 
+	if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+								this->nonce, id, this->reserved, &octets))
+	{
+		enumerator = array_create_enumerator(schemes);
+		while (enumerator->enumerate(enumerator, &schemep))
+		{
+			scheme = *schemep;
+			if (private->sign(private, scheme, octets, auth_data) &&
+				build_signature_auth_data(auth_data, scheme))
+			{
+				status = SUCCESS;
+				break;
+			}
+			else
+			{
+				DBG2(DBG_IKE, "unable to create %N signature for %N key",
+					 signature_scheme_names, scheme, key_type_names,
+					 private->get_type(private));
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
+		 signature_scheme_names, scheme,
+		 status == SUCCESS ? "successful" : "failed");
+	array_destroy(schemes);
+	chunk_free(&octets);
+	return status;
+}
+
+/**
+ * Create a classic IKEv2 signature
+ */
+static status_t sign_classic(private_pubkey_authenticator_t *this,
+							 auth_cfg_t *auth, private_key_t *private,
+							 identification_t *id, auth_method_t *auth_method,
+							 chunk_t *auth_data)
+{
+	signature_scheme_t scheme;
+	keymat_v2_t *keymat;
+	chunk_t octets = chunk_empty;
+	status_t status = FAILED;
+
 	switch (private->get_type(private))
 	{
 		case KEY_RSA:
-			/* we currently use always SHA1 for signatures,
-			 * TODO: support other hashes depending on configuration/auth */
 			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-			auth_method = AUTH_RSA;
+			*auth_method = AUTH_RSA;
 			break;
 		case KEY_ECDSA:
-			/* we try to deduct the signature scheme from the keysize */
+			/* deduct the signature scheme from the keysize */
 			switch (private->get_keysize(private))
 			{
 				case 256:
 					scheme = SIGN_ECDSA_256;
-					auth_method = AUTH_ECDSA_256;
+					*auth_method = AUTH_ECDSA_256;
 					break;
 				case 384:
 					scheme = SIGN_ECDSA_384;
-					auth_method = AUTH_ECDSA_384;
+					*auth_method = AUTH_ECDSA_384;
 					break;
 				case 521:
 					scheme = SIGN_ECDSA_521;
-					auth_method = AUTH_ECDSA_521;
+					*auth_method = AUTH_ECDSA_521;
 					break;
 				default:
 					DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
-							private->get_keysize(private));
-					return status;
+						 private->get_keysize(private));
+					return FAILED;
 			}
 			break;
 		default:
 			DBG1(DBG_IKE, "private key of type %N not supported",
-					key_type_names, private->get_type(private));
-			return status;
+				 key_type_names, private->get_type(private));
+			return FAILED;
 	}
+
 	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
 								this->nonce, id, this->reserved, &octets) &&
-		private->sign(private, scheme, octets, &auth_data))
+		private->sign(private, scheme, octets, auth_data))
 	{
-		auth_payload = auth_payload_create();
-		auth_payload->set_auth_method(auth_payload, auth_method);
-		auth_payload->set_data(auth_payload, auth_data);
-		chunk_free(&auth_data);
-		message->add_payload(message, (payload_t*)auth_payload);
 		status = SUCCESS;
 	}
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
-		 auth_method_names, auth_method,
-		 (status == SUCCESS)? "successful":"failed");
+		 auth_method_names, *auth_method,
+		 status == SUCCESS ? "successful" : "failed");
 	chunk_free(&octets);
+	return status;
+}
+
+METHOD(authenticator_t, build, status_t,
+	private_pubkey_authenticator_t *this, message_t *message)
+{
+	private_key_t *private;
+	identification_t *id;
+	auth_cfg_t *auth;
+	chunk_t auth_data;
+	status_t status;
+	auth_payload_t *auth_payload;
+	auth_method_t auth_method;
+
+	id = this->ike_sa->get_my_id(this->ike_sa);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
+	if (!private)
+	{
+		DBG1(DBG_IKE, "no private key found for '%Y'", id);
+		return NOT_FOUND;
+	}
+
+	if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
+	{
+		auth_method = AUTH_DS;
+		status = sign_signature_auth(this, auth, private, id, &auth_data);
+	}
+	else
+	{
+		status = sign_classic(this, auth, private, id, &auth_method,
+							  &auth_data);
+	}
 	private->destroy(private);
 
+	if (status == SUCCESS)
+	{
+		auth_payload = auth_payload_create();
+		auth_payload->set_auth_method(auth_payload, auth_method);
+		auth_payload->set_data(auth_payload, auth_data);
+		chunk_free(&auth_data);
+		message->add_payload(message, (payload_t*)auth_payload);
+	}
 	return status;
 }
 
@@ -153,11 +376,10 @@ METHOD(authenticator_t, process, status_t,
 		return FAILED;
 	}
 	auth_method = auth_payload->get_auth_method(auth_payload);
+	auth_data = auth_payload->get_data(auth_payload);
 	switch (auth_method)
 	{
 		case AUTH_RSA:
-			/* We currently accept SHA1 signatures only
-			 * TODO: allow other hash algorithms and note it in "auth" */
 			key_type = KEY_RSA;
 			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
 			break;
@@ -170,10 +392,15 @@ METHOD(authenticator_t, process, status_t,
 		case AUTH_ECDSA_521:
 			scheme = SIGN_ECDSA_521;
 			break;
+		case AUTH_DS:
+			if (parse_signature_auth_data(&auth_data, &key_type, &scheme))
+			{
+				break;
+			}
+			/* fall-through */
 		default:
 			return INVALID_ARG;
 	}
-	auth_data = auth_payload->get_data(auth_payload);
 	id = this->ike_sa->get_other_id(this->ike_sa);
 	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
@@ -188,11 +415,16 @@ METHOD(authenticator_t, process, status_t,
 	{
 		if (public->verify(public, scheme, octets, auth_data))
 		{
-			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-						   id, auth_method_names, auth_method);
+			DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
+				 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
+				 auth_method == AUTH_DS ? scheme : auth_method);
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+			if (this->store_signature_scheme)
+			{
+				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+			}
 			break;
 		}
 		else
@@ -265,6 +497,8 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
 		.ike_sa = ike_sa,
 		.ike_sa_init = received_init,
 		.nonce = sent_nonce,
+		.store_signature_scheme = lib->settings->get_bool(lib->settings,
+					"%s.signature_authentication_constraints", TRUE, lib->ns),
 	);
 	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 88ad14faf..f70f5cfed 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -17,6 +18,7 @@
 
 #include <daemon.h>
 #include <crypto/prf_plus.h>
+#include <crypto/hashers/hash_algorithm_set.h>
 
 typedef struct private_keymat_v2_t private_keymat_v2_t;
 
@@ -69,6 +71,11 @@ struct private_keymat_v2_t {
 	 * Key to verify incoming authentication data (SKp)
 	 */
 	chunk_t skp_verify;
+
+	/**
+	 * Set of hash algorithms supported by peer for signature authentication
+	 */
+	hash_algorithm_set_t *hash_algorithms;
 };
 
 METHOD(keymat_t, get_version, ike_version_t,
@@ -293,7 +300,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 	spi_i = chunk_alloca(sizeof(u_int64_t));
 	spi_r = chunk_alloca(sizeof(u_int64_t));
 
-	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+	if (!dh->get_shared_secret(dh, &secret))
 	{
 		return FALSE;
 	}
@@ -547,7 +554,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
 
 	if (dh)
 	{
-		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		if (!dh->get_shared_secret(dh, &secret))
 		{
 			return FALSE;
 		}
@@ -676,6 +683,26 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
 	return TRUE;
 }
 
+METHOD(keymat_v2_t, hash_algorithm_supported, bool,
+	private_keymat_v2_t *this, hash_algorithm_t hash)
+{
+	if (!this->hash_algorithms)
+	{
+		return FALSE;
+	}
+	return this->hash_algorithms->contains(this->hash_algorithms, hash);
+}
+
+METHOD(keymat_v2_t, add_hash_algorithm, void,
+	private_keymat_v2_t *this, hash_algorithm_t hash)
+{
+	if (!this->hash_algorithms)
+	{
+		this->hash_algorithms = hash_algorithm_set_create();
+	}
+	this->hash_algorithms->add(this->hash_algorithms, hash);
+}
+
 METHOD(keymat_t, destroy, void,
 	private_keymat_v2_t *this)
 {
@@ -685,6 +712,7 @@ METHOD(keymat_t, destroy, void,
 	chunk_clear(&this->skd);
 	chunk_clear(&this->skp_verify);
 	chunk_clear(&this->skp_build);
+	DESTROY_IF(this->hash_algorithms);
 	free(this);
 }
 
@@ -709,6 +737,9 @@ keymat_v2_t *keymat_v2_create(bool initiator)
 			.get_skd = _get_skd,
 			.get_auth_octets = _get_auth_octets,
 			.get_psk_sig = _get_psk_sig,
+			.add_hash_algorithm = _add_hash_algorithm,
+			.hash_algorithm_supported = _hash_algorithm_supported,
+
 		},
 		.initiator = initiator,
 		.prf_alg = PRF_UNDEFINED,
diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h
index 04432f05b..927b62b03 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.h
+++ b/src/libcharon/sa/ikev2/keymat_v2.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -124,6 +124,22 @@ struct keymat_v2_t {
 	bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
 						chunk_t nonce, chunk_t secret,
 						identification_t *id, char reserved[3], chunk_t *sig);
+
+	/**
+	 * Add a hash algorithm supported by the peer for signature authentication.
+	 *
+	 * @param hash			hash algorithm
+	 */
+	void (*add_hash_algorithm)(keymat_v2_t *this, hash_algorithm_t hash);
+
+	/**
+	 * Check if a given hash algorithm is supported by the peer for signature
+	 * authentication.
+	 *
+	 * @param hash			hash algorithm
+	 * @return				TRUE if supported, FALSE otherwise
+	 */
+	bool (*hash_algorithm_supported)(keymat_v2_t *this, hash_algorithm_t hash);
 };
 
 /**
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index eb7df3516..298167703 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -29,6 +29,7 @@
 #include <sa/ikev2/tasks/ike_cert_post.h>
 #include <sa/ikev2/tasks/ike_rekey.h>
 #include <sa/ikev2/tasks/ike_reauth.h>
+#include <sa/ikev2/tasks/ike_reauth_complete.h>
 #include <sa/ikev2/tasks/ike_delete.h>
 #include <sa/ikev2/tasks/ike_config.h>
 #include <sa/ikev2/tasks/ike_dpd.h>
@@ -171,6 +172,11 @@ struct private_task_manager_t {
 	 * Base to calculate retransmission timeout
 	 */
 	double retransmit_base;
+
+	/**
+	 * Use make-before-break instead of break-before-make reauth?
+	 */
+	bool make_before_break;
 };
 
 /**
@@ -510,6 +516,11 @@ METHOD(task_manager_t, initiate, status_t,
 					break;
 				}
 #endif /* ME */
+				if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
 			case IKE_REKEYING:
 				if (activate_task(this, TASK_IKE_DELETE))
 				{
@@ -604,6 +615,11 @@ METHOD(task_manager_t, initiate, status_t,
 
 	/* update exchange type if a task changed it */
 	this->initiating.type = message->get_exchange_type(message);
+	if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
+	{
+		message->destroy(message);
+		return SUCCESS;
+	}
 
 	if (!generate_message(this, message, &this->initiating.packets))
 	{
@@ -1170,7 +1186,7 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
 		{
 			unknown = (unknown_payload_t*)payload;
 			type = payload->get_type(payload);
-			if (!payload_is_known(type) &&
+			if (!payload_is_known(type, msg->get_major_version(msg)) &&
 				unknown->is_critical(unknown))
 			{
 				DBG1(DBG_ENC, "payload type %N is not supported, "
@@ -1288,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->responding.mid)
 		{
-			/* reject initial messages once established */
-			if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
-				msg->get_exchange_type(msg) == IKE_AUTH)
+			/* reject initial messages if not received in specific states */
+			if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
+				 this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
+				(msg->get_exchange_type(msg) == IKE_AUTH &&
+				 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
 			{
-				if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
-					this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
-				{
-					DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
-						 exchange_type_names, msg->get_exchange_type(msg));
-					return FAILED;
-				}
+				DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
+					 exchange_type_names, msg->get_exchange_type(msg),
+					 ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
+				return FAILED;
 			}
 			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
 			{	/* with MOBIKE, we do no implicit updates */
@@ -1339,10 +1354,6 @@ METHOD(task_manager_t, process_message, status_t,
 		{
 			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
 				 mid, this->responding.mid);
-			if (msg->get_exchange_type(msg) == IKE_SA_INIT)
-			{	/* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
-				return DESTROY_ME;
-			}
 		}
 	}
 	else
@@ -1505,9 +1516,79 @@ METHOD(task_manager_t, queue_ike_rekey, void,
 	queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
 }
 
+/**
+ * Start reauthentication using make-before-break
+ */
+static void trigger_mbb_reauth(private_task_manager_t *this)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	child_cfg_t *cfg;
+	ike_sa_t *new;
+	host_t *host;
+	task_t *task;
+
+	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+								this->ike_sa->get_version(this->ike_sa), TRUE);
+	if (!new)
+	{	/* shouldn't happen */
+		return;
+	}
+
+	new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
+	host = this->ike_sa->get_other_host(this->ike_sa);
+	new->set_other_host(new, host->clone(host));
+	host = this->ike_sa->get_my_host(this->ike_sa);
+	new->set_my_host(new, host->clone(host));
+	enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		new->add_virtual_ip(new, TRUE, host);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		cfg = child_sa->get_config(child_sa);
+		new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
+												  FALSE, NULL, NULL)->task);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = array_create_enumerator(this->queued_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_CHILD_CREATE)
+		{
+			task->migrate(task, new);
+			new->queue_task(new, task);
+			array_remove_at(this->queued_tasks, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
+	{
+		new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
+										this->ike_sa->get_id(this->ike_sa)));
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+	}
+	else
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
+		DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
+	}
+	charon->bus->set_sa(charon->bus, this->ike_sa);
+}
+
 METHOD(task_manager_t, queue_ike_reauth, void,
 	private_task_manager_t *this)
 {
+	if (this->make_before_break)
+	{
+		return trigger_mbb_reauth(this);
+	}
 	queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
 }
 
@@ -1773,6 +1854,8 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
 		.retransmit_base = lib->settings->get_double(lib->settings,
 					"%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
+		.make_before_break = lib->settings->get_bool(lib->settings,
+					"%s.make_before_break", FALSE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index a1f01c276..6d9132a68 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -105,6 +105,11 @@ struct private_child_create_t {
 	diffie_hellman_t *dh;
 
 	/**
+	 * Applying DH public value failed?
+	 */
+	bool dh_failed;
+
+	/**
 	 * group used for DH exchange
 	 */
 	diffie_hellman_group_t dh_group;
@@ -160,6 +165,16 @@ struct private_child_create_t {
 	u_int32_t reqid;
 
 	/**
+	 * Explicit inbound mark value
+	 */
+	u_int mark_in;
+
+	/**
+	 * Explicit outbound mark value
+	 */
+	u_int mark_out;
+
+	/**
 	 * CHILD_SA which gets established
 	 */
 	child_sa_t *child_sa;
@@ -286,7 +301,7 @@ static bool allocate_spi(private_child_create_t *this)
  */
 static void schedule_inactivity_timeout(private_child_create_t *this)
 {
-	u_int32_t timeout;
+	u_int32_t timeout, id;
 	bool close_ike;
 
 	timeout = this->config->get_inactivity(this->config);
@@ -294,9 +309,9 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
 	{
 		close_ike = lib->settings->get_bool(lib->settings,
 									"%s.inactivity_close_ike", FALSE, lib->ns);
+		id = this->child_sa->get_unique_id(this->child_sa);
 		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
-				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
-									  timeout, close_ike), timeout);
+						inactivity_job_create(id, timeout, close_ike), timeout);
 	}
 }
 
@@ -683,10 +698,7 @@ static status_t select_and_install(private_child_create_t *this,
 	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
 	this->established = TRUE;
 
-	if (!this->rekey)
-	{	/* a rekeyed SA uses the same reqid, no need for a new job */
-		schedule_inactivity_timeout(this);
-	}
+	schedule_inactivity_timeout(this);
 
 	my_ts = linked_list_create_from_enumerator(
 				this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
@@ -696,7 +708,7 @@ static status_t select_and_install(private_child_create_t *this,
 	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
 		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
 		 this->child_sa->get_name(this->child_sa),
-		 this->child_sa->get_reqid(this->child_sa),
+		 this->child_sa->get_unique_id(this->child_sa),
 		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
 		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
 
@@ -709,7 +721,7 @@ static status_t select_and_install(private_child_create_t *this,
 /**
  * build the payloads for the message
  */
-static void build_payloads(private_child_create_t *this, message_t *message)
+static bool build_payloads(private_child_create_t *this, message_t *message)
 {
 	sa_payload_t *sa_payload;
 	nonce_payload_t *nonce_payload;
@@ -741,6 +753,11 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 	{
 		ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE,
 														   this->dh);
+		if (!ke_payload)
+		{
+			DBG1(DBG_IKE, "creating KE payload failed");
+			return FALSE;
+		}
 		message->add_payload(message, (payload_t*)ke_payload);
 	}
 
@@ -769,6 +786,7 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 		message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED,
 							chunk_empty);
 	}
+	return TRUE;
 }
 
 /**
@@ -880,7 +898,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 				}
 				if (this->dh)
 				{
-					this->dh->set_other_public_value(this->dh,
+					this->dh_failed = !this->dh->set_other_public_value(this->dh,
 								ke_payload->get_key_exchange_data(ke_payload));
 				}
 				break;
@@ -996,7 +1014,8 @@ METHOD(task_t, build_i, status_t,
 
 	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
-			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY),
+			this->mark_in, this->mark_out);
 
 	if (!allocate_spi(this))
 	{
@@ -1027,7 +1046,10 @@ METHOD(task_t, build_i, status_t,
 							NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
 	}
 
-	build_payloads(this, message);
+	if (!build_payloads(this, message))
+	{
+		return FAILED;
+	}
 
 	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
 	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
@@ -1168,12 +1190,19 @@ METHOD(task_t, build_r, status_t,
 		case IKE_SA_INIT:
 			return get_nonce(message, &this->my_nonce);
 		case CREATE_CHILD_SA:
-			if (generate_nonce(this) != SUCCESS)
+			if (generate_nonce(this) != SUCCESS )
 			{
 				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
 									chunk_empty);
 				return SUCCESS;
 			}
+			if (this->dh_failed)
+			{
+				DBG1(DBG_IKE, "applying DH public value failed");
+				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
+									chunk_empty);
+				return SUCCESS;
+			}
 			no_dh = FALSE;
 			break;
 		case IKE_AUTH:
@@ -1241,7 +1270,8 @@ METHOD(task_t, build_r, status_t,
 
 	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
 			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
-			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY),
+			this->mark_in, this->mark_out);
 
 	if (this->ipcomp_received != IPCOMP_NONE)
 	{
@@ -1279,7 +1309,12 @@ METHOD(task_t, build_r, status_t,
 			return SUCCESS;
 	}
 
-	build_payloads(this, message);
+	if (!build_payloads(this, message))
+	{
+		message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		handle_child_sa_failure(this, message);
+		return SUCCESS;
+	}
 
 	if (!this->rekey)
 	{	/* invoke the child_up() hook if we are not rekeying */
@@ -1408,6 +1443,7 @@ METHOD(task_t, process_i, status_t,
 						 this->dh_group, diffie_hellman_group_names, group);
 					this->retry = TRUE;
 					this->dh_group = group;
+					this->child_sa->set_state(this->child_sa, CHILD_RETRYING);
 					this->public.task.migrate(&this->public.task, this->ike_sa);
 					enumerator->destroy(enumerator);
 					return NEED_MORE;
@@ -1456,6 +1492,13 @@ METHOD(task_t, process_i, status_t,
 		return delete_failed_sa(this);
 	}
 
+	if (this->dh_failed)
+	{
+		DBG1(DBG_IKE, "applying DH public value failed");
+		handle_child_sa_failure(this, message);
+		return delete_failed_sa(this);
+	}
+
 	if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
 	{
 		if (!this->rekey)
@@ -1477,6 +1520,13 @@ METHOD(child_create_t, use_reqid, void,
 	this->reqid = reqid;
 }
 
+METHOD(child_create_t, use_marks, void,
+	private_child_create_t *this, u_int in, u_int out)
+{
+	this->mark_in = in;
+	this->mark_out = out;
+}
+
 METHOD(child_create_t, get_child, child_sa_t*,
 	private_child_create_t *this)
 {
@@ -1526,6 +1576,7 @@ METHOD(task_t, migrate, void,
 	DESTROY_IF(this->child_sa);
 	DESTROY_IF(this->proposal);
 	DESTROY_IF(this->dh);
+	this->dh_failed = FALSE;
 	if (this->proposals)
 	{
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
@@ -1544,6 +1595,8 @@ METHOD(task_t, migrate, void,
 	this->ipcomp_received = IPCOMP_NONE;
 	this->other_cpi = 0;
 	this->reqid = 0;
+	this->mark_in = 0;
+	this->mark_out = 0;
 	this->established = FALSE;
 }
 
@@ -1592,6 +1645,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
 			.set_config = _set_config,
 			.get_lower_nonce = _get_lower_nonce,
 			.use_reqid = _use_reqid,
+			.use_marks = _use_marks,
 			.task = {
 				.get_type = _get_type,
 				.migrate = _migrate,
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h
index d29ba3d98..46d9403ee 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.h
+++ b/src/libcharon/sa/ikev2/tasks/child_create.h
@@ -52,6 +52,14 @@ struct child_create_t {
 	void (*use_reqid) (child_create_t *this, u_int32_t reqid);
 
 	/**
+	 * Use specific mark values to override configuration.
+	 *
+	 * @param in		inbound mark value
+	 * @param out		outbound mark value
+	 */
+	void (*use_marks)(child_create_t *this, u_int in, u_int out);
+
+	/**
 	 * Get the lower of the two nonces, used for rekey collisions.
 	 *
 	 * @return			lower nonce
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 2b1697423..f0b11e291 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -267,7 +267,7 @@ static void log_children(private_child_delete_t *this)
 		{
 			DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
 				 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-				 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+				 child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
 				 ntohl(child_sa->get_spi(child_sa, TRUE)),
 				 ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
 		}
@@ -278,7 +278,7 @@ static void log_children(private_child_delete_t *this)
 
 			DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i "
 				 "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
-				 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+				 child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
 				 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
 				 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
 				 my_ts, other_ts);
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index db872827d..c806e19ca 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -96,9 +96,9 @@ static void schedule_delayed_rekey(private_child_rekey_t *this)
 
 	retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
 	job = (job_t*)rekey_child_sa_job_create(
-						this->child_sa->get_reqid(this->child_sa),
 						this->child_sa->get_protocol(this->child_sa),
-						this->child_sa->get_spi(this->child_sa, TRUE));
+						this->child_sa->get_spi(this->child_sa, TRUE),
+						this->ike_sa->get_my_host(this->ike_sa));
 	DBG1(DBG_IKE, "CHILD_SA rekeying failed, trying again in %d seconds", retry);
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
 	lib->scheduler->schedule_job(lib->scheduler, job, retry);
@@ -184,6 +184,9 @@ METHOD(task_t, build_i, status_t,
 	}
 	reqid = this->child_sa->get_reqid(this->child_sa);
 	this->child_create->use_reqid(this->child_create, reqid);
+	this->child_create->use_marks(this->child_create,
+						this->child_sa->get_mark(this->child_sa, TRUE).value,
+						this->child_sa->get_mark(this->child_sa, FALSE).value);
 
 	if (this->child_create->task.build(&this->child_create->task,
 									   message) != NEED_MORE)
@@ -224,6 +227,9 @@ METHOD(task_t, build_r, status_t,
 	/* let the CHILD_CREATE task build the response */
 	reqid = this->child_sa->get_reqid(this->child_sa);
 	this->child_create->use_reqid(this->child_create, reqid);
+	this->child_create->use_marks(this->child_create,
+						this->child_sa->get_mark(this->child_sa, TRUE).value,
+						this->child_sa->get_mark(this->child_sa, FALSE).value);
 	config = this->child_sa->get_config(this->child_sa);
 	this->child_create->set_config(this->child_create, config->get_ref(config));
 	this->child_create->task.build(&this->child_create->task, message);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 0dac975e7..ca17494de 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -229,12 +229,12 @@ static void process_x509(cert_payload_t *payload, auth_cfg_t *auth,
 			return;
 		}
 		url = strdup(url);
-		if (first)
+		if (*first)
 		{	/* first URL is for an end entity certificate */
 			DBG1(DBG_IKE, "received hash-and-url for end entity cert \"%s\"",
 				 url);
 			auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
-			first = FALSE;
+			*first = FALSE;
 		}
 		else
 		{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
index da06e2a36..646f20c61 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -17,7 +17,6 @@
 #include "ike_config.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <encoding/payloads/cp_payload.h>
 
 typedef struct private_ike_config_t private_ike_config_t;
@@ -127,9 +126,8 @@ static void handle_attribute(private_ike_config_t *this,
 	enumerator->destroy(enumerator);
 
 	/* and pass it to the handle function */
-	handler = hydra->attributes->handle(hydra->attributes,
-							this->ike_sa->get_other_id(this->ike_sa), handler,
-							ca->get_type(ca), ca->get_chunk(ca));
+	handler = charon->attributes->handle(charon->attributes,
+					this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca));
 	this->ike_sa->add_configuration_attribute(this->ike_sa,
 							handler, ca->get_type(ca), ca->get_chunk(ca));
 }
@@ -274,9 +272,8 @@ METHOD(task_t, build_i, status_t,
 			enumerator->destroy(enumerator);
 		}
 
-		enumerator = hydra->attributes->create_initiator_enumerator(
-								hydra->attributes,
-								this->ike_sa->get_other_id(this->ike_sa), vips);
+		enumerator = charon->attributes->create_initiator_enumerator(
+										charon->attributes, this->ike_sa, vips);
 		while (enumerator->enumerate(enumerator, &handler, &type, &data))
 		{
 			configuration_attribute_t *ca;
@@ -352,8 +349,8 @@ METHOD(task_t, build_r, status_t,
 			/* query all pools until we get an address */
 			DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
 
-			found = hydra->attributes->acquire_address(hydra->attributes,
-													   pools, id, requested);
+			found = charon->attributes->acquire_address(charon->attributes,
+												pools, this->ike_sa, requested);
 			if (found)
 			{
 				DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
@@ -398,8 +395,8 @@ METHOD(task_t, build_r, status_t,
 		}
 
 		/* query registered providers for additional attributes to include */
-		enumerator = hydra->attributes->create_responder_enumerator(
-											hydra->attributes, pools, id, vips);
+		enumerator = charon->attributes->create_responder_enumerator(
+								charon->attributes, pools, this->ike_sa, vips);
 		while (enumerator->enumerate(enumerator, &type, &value))
 		{
 			if (!cp)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 71c5f22fa..0d5700ef2 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -20,8 +20,11 @@
 #include <string.h>
 
 #include <daemon.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
 #include <sa/ikev2/keymat_v2.h>
 #include <crypto/diffie_hellman.h>
+#include <crypto/hashers/hash_algorithm_set.h>
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/nonce_payload.h>
@@ -67,6 +70,11 @@ struct private_ike_init_t {
 	diffie_hellman_t *dh;
 
 	/**
+	 * Applying DH public value failed?
+	 */
+	bool dh_failed;
+
+	/**
 	 * Keymat derivation (from IKE_SA)
 	 */
 	keymat_v2_t *keymat;
@@ -100,12 +108,114 @@ struct private_ike_init_t {
 	 * retries done so far after failure (cookie or bad dh group)
 	 */
 	u_int retry;
+
+	/**
+	 * Whether to use Signature Authentication as per RFC 7427
+	 */
+	bool signature_authentication;
 };
 
 /**
+ * Notify the peer about the hash algorithms we support or expect,
+ * as per RFC 7427
+ */
+static void send_supported_hash_algorithms(private_ike_init_t *this,
+										   message_t *message)
+{
+	hash_algorithm_set_t *algos;
+	enumerator_t *enumerator, *rounds;
+	bio_writer_t *writer;
+	hash_algorithm_t hash;
+	peer_cfg_t *peer;
+	auth_cfg_t *auth;
+	auth_rule_t rule;
+	uintptr_t config;
+	char *plugin_name;
+
+	algos = hash_algorithm_set_create();
+	peer = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer)
+	{
+		rounds = peer->create_auth_cfg_enumerator(peer, FALSE);
+		while (rounds->enumerate(rounds, &auth))
+		{
+			enumerator = auth->create_enumerator(auth);
+			while (enumerator->enumerate(enumerator, &rule, &config))
+			{
+				if (rule == AUTH_RULE_SIGNATURE_SCHEME)
+				{
+					hash = hasher_from_signature_scheme(config);
+					if (hasher_algorithm_for_ikev2(hash))
+					{
+						algos->add(algos, hash);
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		rounds->destroy(rounds);
+	}
+
+	if (!algos->count(algos))
+	{
+		enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &hash, &plugin_name))
+		{
+			if (hasher_algorithm_for_ikev2(hash))
+			{
+				algos->add(algos, hash);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (algos->count(algos))
+	{
+		writer = bio_writer_create(0);
+		enumerator = algos->create_enumerator(algos);
+		while (enumerator->enumerate(enumerator, &hash))
+		{
+			writer->write_uint16(writer, hash);
+		}
+		enumerator->destroy(enumerator);
+		message->add_notify(message, FALSE, SIGNATURE_HASH_ALGORITHMS,
+							writer->get_buf(writer));
+		writer->destroy(writer);
+	}
+	algos->destroy(algos);
+}
+
+/**
+ * Store algorithms supported by other peer
+ */
+static void handle_supported_hash_algorithms(private_ike_init_t *this,
+											 notify_payload_t *notify)
+{
+	bio_reader_t *reader;
+	u_int16_t algo;
+	bool added = FALSE;
+
+	reader = bio_reader_create(notify->get_notification_data(notify));
+	while (reader->remaining(reader) >= 2 && reader->read_uint16(reader, &algo))
+	{
+		if (hasher_algorithm_for_ikev2(algo))
+		{
+			this->keymat->add_hash_algorithm(this->keymat, algo);
+			added = TRUE;
+		}
+	}
+	reader->destroy(reader);
+
+	if (added)
+	{
+		this->ike_sa->enable_extension(this->ike_sa, EXT_SIGNATURE_AUTH);
+	}
+}
+
+/**
  * build the payloads for the message
  */
-static void build_payloads(private_ike_init_t *this, message_t *message)
+static bool build_payloads(private_ike_init_t *this, message_t *message)
 {
 	sa_payload_t *sa_payload;
 	ke_payload_t *ke_payload;
@@ -149,7 +259,13 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 
 	nonce_payload = nonce_payload_create(PLV2_NONCE);
 	nonce_payload->set_nonce(nonce_payload, this->my_nonce);
-	ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE, this->dh);
+	ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE,
+													   this->dh);
+	if (!ke_payload)
+	{
+		DBG1(DBG_IKE, "creating KE payload failed");
+		return FALSE;
+	}
 
 	if (this->old_sa)
 	{	/* payload order differs if we are rekeying */
@@ -174,6 +290,17 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 								chunk_empty);
 		}
 	}
+	/* submit supported hash algorithms for signature authentication */
+	if (!this->old_sa && this->signature_authentication)
+	{
+		if (this->initiator ||
+			this->ike_sa->supports_extension(this->ike_sa,
+											 EXT_SIGNATURE_AUTH))
+		{
+			send_supported_hash_algorithms(this, message);
+		}
+	}
+	return TRUE;
 }
 
 /**
@@ -183,6 +310,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
+	ke_payload_t *ke_payload = NULL;
 
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -211,19 +339,9 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			}
 			case PLV2_KEY_EXCHANGE:
 			{
-				ke_payload_t *ke_payload = (ke_payload_t*)payload;
+				ke_payload = (ke_payload_t*)payload;
 
 				this->dh_group = ke_payload->get_dh_group_number(ke_payload);
-				if (!this->initiator)
-				{
-					this->dh = this->keymat->keymat.create_dh(
-										&this->keymat->keymat, this->dh_group);
-				}
-				if (this->dh)
-				{
-					this->dh->set_other_public_value(this->dh,
-								ke_payload->get_key_exchange_data(ke_payload));
-				}
 				break;
 			}
 			case PLV2_NONCE:
@@ -237,17 +355,44 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			{
 				notify_payload_t *notify = (notify_payload_t*)payload;
 
-				if (notify->get_notify_type(notify) == FRAGMENTATION_SUPPORTED)
+				switch (notify->get_notify_type(notify))
 				{
-					this->ike_sa->enable_extension(this->ike_sa,
-												   EXT_IKE_FRAGMENTATION);
+					case FRAGMENTATION_SUPPORTED:
+						this->ike_sa->enable_extension(this->ike_sa,
+													   EXT_IKE_FRAGMENTATION);
+						break;
+					case SIGNATURE_HASH_ALGORITHMS:
+						if (this->signature_authentication)
+						{
+							handle_supported_hash_algorithms(this, notify);
+						}
+						break;
+					default:
+						/* other notifies are handled elsewhere */
+						break;
 				}
+
 			}
 			default:
 				break;
 		}
 	}
 	enumerator->destroy(enumerator);
+
+	if (ke_payload && this->proposal &&
+		this->proposal->has_dh_group(this->proposal, this->dh_group))
+	{
+		if (!this->initiator)
+		{
+			this->dh = this->keymat->keymat.create_dh(
+								&this->keymat->keymat, this->dh_group);
+		}
+		if (this->dh)
+		{
+			this->dh_failed = !this->dh->set_other_public_value(this->dh,
+								ke_payload->get_key_exchange_data(ke_payload));
+		}
+	}
 }
 
 METHOD(task_t, build_i, status_t,
@@ -305,7 +450,10 @@ METHOD(task_t, build_i, status_t,
 		message->add_notify(message, FALSE, COOKIE, this->cookie);
 	}
 
-	build_payloads(this, message);
+	if (!build_payloads(this, message))
+	{
+		return FAILED;
+	}
 
 #ifdef ME
 	{
@@ -433,13 +581,24 @@ METHOD(task_t, build_r, status_t,
 		return FAILED;
 	}
 
+	if (this->dh_failed)
+	{
+		DBG1(DBG_IKE, "applying DH public value failed");
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return FAILED;
+	}
+
 	if (!derive_keys(this, this->other_nonce, this->my_nonce))
 	{
 		DBG1(DBG_IKE, "key derivation failed");
 		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
 		return FAILED;
 	}
-	build_payloads(this, message);
+	if (!build_payloads(this, message))
+	{
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return FAILED;
+	}
 	return SUCCESS;
 }
 
@@ -554,6 +713,12 @@ METHOD(task_t, process_i, status_t,
 		return FAILED;
 	}
 
+	if (this->dh_failed)
+	{
+		DBG1(DBG_IKE, "applying DH public value failed");
+		return FAILED;
+	}
+
 	if (!derive_keys(this, this->my_nonce, this->other_nonce))
 	{
 		DBG1(DBG_IKE, "key derivation failed");
@@ -577,6 +742,7 @@ METHOD(task_t, migrate, void,
 	this->ike_sa = ike_sa;
 	this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
 	this->proposal = NULL;
+	this->dh_failed = FALSE;
 	if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group)
 	{	/* reset DH value only if group changed (INVALID_KE_PAYLOAD) */
 		this->dh->destroy(this->dh);
@@ -631,6 +797,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 		.dh_group = MODP_NONE,
 		.keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
 		.old_sa = old_sa,
+		.signature_authentication = lib->settings->get_bool(lib->settings,
+								"%s.signature_authentication", TRUE, lib->ns),
 	);
 
 	if (initiator)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index d91fa5862..6295d7960 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -256,6 +256,7 @@ static void update_children(private_ike_mobike_t *this)
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
 	linked_list_t *vips;
+	status_t status;
 	host_t *host;
 
 	vips = linked_list_create();
@@ -270,15 +271,25 @@ static void update_children(private_ike_mobike_t *this)
 	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
-		if (child_sa->update(child_sa,
-				this->ike_sa->get_my_host(this->ike_sa),
-				this->ike_sa->get_other_host(this->ike_sa), vips,
-				this->ike_sa->has_condition(this->ike_sa,
-											COND_NAT_ANY)) == NOT_SUPPORTED)
+		status = child_sa->update(child_sa,
+					this->ike_sa->get_my_host(this->ike_sa),
+					this->ike_sa->get_other_host(this->ike_sa), vips,
+					this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+		switch (status)
 		{
-			this->ike_sa->rekey_child_sa(this->ike_sa,
-					child_sa->get_protocol(child_sa),
-					child_sa->get_spi(child_sa, TRUE));
+			case NOT_SUPPORTED:
+				this->ike_sa->rekey_child_sa(this->ike_sa,
+											 child_sa->get_protocol(child_sa),
+											 child_sa->get_spi(child_sa, TRUE));
+				break;
+			case SUCCESS:
+				charon->child_sa_manager->remove(charon->child_sa_manager,
+												 child_sa);
+				charon->child_sa_manager->add(charon->child_sa_manager,
+											  child_sa, this->ike_sa);
+				break;
+			default:
+				break;
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.h b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
index 781b463a7..e2e48f0d4 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_reauth.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
@@ -29,6 +29,8 @@ typedef struct ike_reauth_t ike_reauth_t;
 
 /**
  * Task of type ike_reauth, reestablishes an IKE_SA.
+ *
+ * This task implements break-before-make reauthentication.
  */
 struct ike_reauth_t {
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c
new file mode 100644
index 000000000..a01489c03
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_reauth_complete.h"
+
+#include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+
+typedef struct private_ike_reauth_complete_t private_ike_reauth_complete_t;
+
+/**
+ * Private members of a ike_reauth_complete_t task.
+ */
+struct private_ike_reauth_complete_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_reauth_complete_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Reauthenticated IKE_SA identifier
+	 */
+	ike_sa_id_t *id;
+};
+
+METHOD(task_t, build_i, status_t,
+	private_ike_reauth_complete_t *this, message_t *message)
+{
+	message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+	lib->processor->queue_job(lib->processor,
+							  (job_t*)delete_ike_sa_job_create(this->id, TRUE));
+	return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_ike_reauth_complete_t *this, message_t *message)
+{
+	return DESTROY_ME;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_reauth_complete_t *this)
+{
+	return TASK_IKE_REAUTH_COMPLETE;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_reauth_complete_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_reauth_complete_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_reauth_complete_t *ike_reauth_complete_create(ike_sa_t *ike_sa,
+												  ike_sa_id_t *id)
+{
+	private_ike_reauth_complete_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.build = _build_i,
+				.process = _process_i,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.id = id->clone(id),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h
new file mode 100644
index 000000000..cc3d3b713
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_reauth_complete ike_reauth_complete
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_REAUTH_COMPLETE_H_
+#define IKE_REAUTH_COMPLETE_H_
+
+typedef struct ike_reauth_complete_t ike_reauth_complete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type IKE_REAUTH_COMPLETE, removes reauthenticated SA after reauth.
+ *
+ * This task completes make-before-break reauthentication by deleting the
+ * old, reauthenticated IKE_SA after the new one established.
+ */
+struct ike_reauth_complete_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_reauth_complete task.
+ *
+ * This task is initiator only.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param id			old, reauthenticated IKE_SA
+ * @return				ike_reauth_complete task to handle by the task_manager
+ */
+ike_reauth_complete_t *ike_reauth_complete_create(ike_sa_t *ike_sa,
+												  ike_sa_id_t *id);
+
+#endif /** IKE_REAUTH_COMPLETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index 444ac6ade..1855517ce 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -22,6 +22,7 @@
 #include <sa/ikev2/tasks/ike_delete.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/rekey_ike_sa_job.h>
+#include <processing/jobs/initiate_tasks_job.h>
 
 
 typedef struct private_ike_rekey_t private_ike_rekey_t;
@@ -68,12 +69,33 @@ struct private_ike_rekey_t {
 };
 
 /**
+ * Check if an IKE_SA has any queued tasks, return initiation job
+ */
+static job_t* check_queued_tasks(ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	job_t *job = NULL;
+
+	enumerator = ike_sa->create_task_enumerator(ike_sa, TASK_QUEUE_QUEUED);
+	if (enumerator->enumerate(enumerator, &task))
+	{
+		job = (job_t*)initiate_tasks_job_create(ike_sa->get_id(ike_sa));
+	}
+	enumerator->destroy(enumerator);
+
+	return job;
+}
+
+/**
  * Establish the new replacement IKE_SA
  */
 static void establish_new(private_ike_rekey_t *this)
 {
 	if (this->new_sa)
 	{
+		job_t *job;
+
 		this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
 		DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]",
 			 this->new_sa->get_name(this->new_sa),
@@ -85,7 +107,14 @@ static void establish_new(private_ike_rekey_t *this)
 
 		this->new_sa->inherit_post(this->new_sa, this->ike_sa);
 		charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
+		job = check_queued_tasks(this->new_sa);
+		/* don't queue job before checkin(), as the IKE_SA is not yet
+		 * registered at the manager */
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+		if (job)
+		{
+			lib->processor->queue_job(lib->processor, job);
+		}
 		this->new_sa = NULL;
 		/* set threads active IKE_SA after checkin */
 		charon->bus->set_sa(charon->bus, this->ike_sa);
@@ -163,6 +192,7 @@ METHOD(task_t, process_r, status_t,
 		{
 			case CHILD_CREATED:
 			case CHILD_REKEYING:
+			case CHILD_RETRYING:
 			case CHILD_DELETING:
 				/* we do not allow rekeying while we have children in-progress */
 				DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
@@ -209,6 +239,12 @@ METHOD(task_t, build_r, status_t,
 	this->public.task.build = _build_r_delete;
 	this->public.task.process = _process_r_delete;
 
+	/* the peer does have to delete the IKE_SA. If it does not, we get a
+	 * unusable IKE_SA in REKEYING state without a replacement. We consider
+	 * this a timeout condition by the peer, and trigger a delete actively. */
+	lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+		delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE), 90);
+
 	return NEED_MORE;
 }
 
diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c
index 4336b23ff..b35b58185 100644
--- a/src/libcharon/sa/task.c
+++ b/src/libcharon/sa/task.c
@@ -27,6 +27,7 @@ ENUM(task_type_names, TASK_IKE_INIT, TASK_ISAKMP_CERT_POST,
 	"IKE_CONFIG",
 	"IKE_REKEY",
 	"IKE_REAUTH",
+	"IKE_REAUTH_COMPLETE",
 	"IKE_DELETE",
 	"IKE_DPD",
 	"IKE_VENDOR",
diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h
index f2c4299cc..7bd3da1fe 100644
--- a/src/libcharon/sa/task.h
+++ b/src/libcharon/sa/task.h
@@ -22,6 +22,8 @@
 #ifndef TASK_H_
 #define TASK_H_
 
+#include <utils/utils.h>
+
 typedef enum task_type_t task_type_t;
 typedef struct task_t task_t;
 
@@ -51,8 +53,10 @@ enum task_type_t {
 	TASK_IKE_CONFIG,
 	/** rekey an IKE_SA */
 	TASK_IKE_REKEY,
-	/** reestablish a complete IKE_SA */
+	/** reestablish a complete IKE_SA, break-before-make */
 	TASK_IKE_REAUTH,
+	/** completion task for make-before-break IKE_SA re-authentication */
+	TASK_IKE_REAUTH_COMPLETE,
 	/** delete an IKE_SA */
 	TASK_IKE_DELETE,
 	/** liveness check */
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 7e55d6b0f..d6ff3c8c5 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -65,6 +65,11 @@ struct private_trap_manager_t {
 	 * listener to track acquiring IKE_SAs
 	 */
 	trap_listener_t listener;
+
+	/**
+	 * Whether to ignore traffic selectors from acquires
+	 */
+	bool ignore_acquire_ts;
 };
 
 /**
@@ -171,7 +176,7 @@ METHOD(trap_manager_t, install, u_int32_t,
 	this->lock->unlock(this->lock);
 
 	/* create and route CHILD_SA */
-	child_sa = child_sa_create(me, other, child, reqid, FALSE);
+	child_sa = child_sa_create(me, other, child, reqid, FALSE, 0, 0);
 
 	list = linked_list_create_with_items(me, NULL);
 	my_ts = child->get_traffic_selectors(child, TRUE, NULL, list);
@@ -353,7 +358,7 @@ METHOD(trap_manager_t, acquire, void,
 		{
 			ike_sa->set_peer_cfg(ike_sa, peer);
 		}
-		if (ike_sa->get_version(ike_sa) == IKEV1)
+		if (this->ignore_acquire_ts || ike_sa->get_version(ike_sa) == IKEV1)
 		{	/* in IKEv1, don't prepend the acquiring packet TS, as we only
 			 * have a single TS that we can establish in a Quick Mode. */
 			src = dst = NULL;
@@ -484,6 +489,8 @@ trap_manager_t *trap_manager_create(void)
 		},
 		.traps = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.ignore_acquire_ts = lib->settings->get_bool(lib->settings,
+										"%s.ignore_acquire_ts", FALSE, lib->ns),
 	);
 	charon->bus->add_listener(charon->bus, &this->listener.listener);
 
diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am
new file mode 100644
index 000000000..c8be28594
--- /dev/null
+++ b/src/libcharon/tests/Makefile.am
@@ -0,0 +1,21 @@
+TESTS = libcharon_tests
+
+check_PROGRAMS = $(TESTS)
+
+libcharon_tests_SOURCES = \
+  suites/test_mem_pool.c \
+  libcharon_tests.h libcharon_tests.c
+
+libcharon_tests_CFLAGS = \
+  -I$(top_srcdir)/src/libcharon \
+  -I$(top_srcdir)/src/libhydra \
+  -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
+  @COVERAGE_CFLAGS@
+
+libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+libcharon_tests_LDADD = \
+  $(top_builddir)/src/libcharon/libcharon.la \
+  $(top_builddir)/src/libhydra/libhydra.la \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
new file mode 100644
index 000000000..7f4f4b24e
--- /dev/null
+++ b/src/libcharon/tests/Makefile.in
@@ -0,0 +1,874 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = libcharon_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libcharon/tests
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = libcharon_tests$(EXEEXT)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_libcharon_tests_OBJECTS =  \
+	suites/libcharon_tests-test_mem_pool.$(OBJEXT) \
+	libcharon_tests-libcharon_tests.$(OBJEXT)
+libcharon_tests_OBJECTS = $(am_libcharon_tests_OBJECTS)
+libcharon_tests_DEPENDENCIES =  \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libcharon_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(libcharon_tests_CFLAGS) $(CFLAGS) $(libcharon_tests_LDFLAGS) \
+	$(LDFLAGS) -o $@
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libcharon_tests_SOURCES)
+DIST_SOURCES = $(libcharon_tests_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+libcharon_tests_SOURCES = \
+  suites/test_mem_pool.c \
+  libcharon_tests.h libcharon_tests.c
+
+libcharon_tests_CFLAGS = \
+  -I$(top_srcdir)/src/libcharon \
+  -I$(top_srcdir)/src/libhydra \
+  -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
+  @COVERAGE_CFLAGS@
+
+libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+libcharon_tests_LDADD = \
+  $(top_builddir)/src/libcharon/libcharon.la \
+  $(top_builddir)/src/libhydra/libhydra.la \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(top_builddir)/src/libstrongswan/tests/libtest.la
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/tests/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+suites/$(am__dirstamp):
+	@$(MKDIR_P) suites
+	@: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) suites/$(DEPDIR)
+	@: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/libcharon_tests-test_mem_pool.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+
+libcharon_tests$(EXEEXT): $(libcharon_tests_OBJECTS) $(libcharon_tests_DEPENDENCIES) $(EXTRA_libcharon_tests_DEPENDENCIES) 
+	@rm -f libcharon_tests$(EXEEXT)
+	$(AM_V_CCLD)$(libcharon_tests_LINK) $(libcharon_tests_OBJECTS) $(libcharon_tests_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+	-rm -f suites/*.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcharon_tests-libcharon_tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+suites/libcharon_tests-test_mem_pool.o: suites/test_mem_pool.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_mem_pool.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo -c -o suites/libcharon_tests-test_mem_pool.o `test -f 'suites/test_mem_pool.c' || echo '$(srcdir)/'`suites/test_mem_pool.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_mem_pool.c' object='suites/libcharon_tests-test_mem_pool.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_mem_pool.o `test -f 'suites/test_mem_pool.c' || echo '$(srcdir)/'`suites/test_mem_pool.c
+
+suites/libcharon_tests-test_mem_pool.obj: suites/test_mem_pool.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_mem_pool.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo -c -o suites/libcharon_tests-test_mem_pool.obj `if test -f 'suites/test_mem_pool.c'; then $(CYGPATH_W) 'suites/test_mem_pool.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mem_pool.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_mem_pool.c' object='suites/libcharon_tests-test_mem_pool.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_mem_pool.obj `if test -f 'suites/test_mem_pool.c'; then $(CYGPATH_W) 'suites/test_mem_pool.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mem_pool.c'; fi`
+
+libcharon_tests-libcharon_tests.o: libcharon_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT libcharon_tests-libcharon_tests.o -MD -MP -MF $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo -c -o libcharon_tests-libcharon_tests.o `test -f 'libcharon_tests.c' || echo '$(srcdir)/'`libcharon_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo $(DEPDIR)/libcharon_tests-libcharon_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='libcharon_tests.c' object='libcharon_tests-libcharon_tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o libcharon_tests-libcharon_tests.o `test -f 'libcharon_tests.c' || echo '$(srcdir)/'`libcharon_tests.c
+
+libcharon_tests-libcharon_tests.obj: libcharon_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT libcharon_tests-libcharon_tests.obj -MD -MP -MF $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo -c -o libcharon_tests-libcharon_tests.obj `if test -f 'libcharon_tests.c'; then $(CYGPATH_W) 'libcharon_tests.c'; else $(CYGPATH_W) '$(srcdir)/libcharon_tests.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo $(DEPDIR)/libcharon_tests-libcharon_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='libcharon_tests.c' object='libcharon_tests-libcharon_tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o libcharon_tests-libcharon_tests.obj `if test -f 'libcharon_tests.c'; then $(CYGPATH_W) 'libcharon_tests.c'; else $(CYGPATH_W) '$(srcdir)/libcharon_tests.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f suites/$(DEPDIR)/$(am__dirstamp)
+	-rm -f suites/$(am__dirstamp)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+	clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
+	ctags ctags-am distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c
new file mode 100644
index 000000000..1ed0f0c95
--- /dev/null
+++ b/src/libcharon/tests/libcharon_tests.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+#include <hydra.h>
+#include <daemon.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "libcharon_tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+	{ .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "libcharon_tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (init)
+	{
+		libhydra_init();
+		libcharon_init();
+	}
+	else
+	{
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+		libcharon_deinit();
+		libhydra_deinit();
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("libcharon", tests, test_runner_init);
+}
diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h
new file mode 100644
index 000000000..dc9681aeb
--- /dev/null
+++ b/src/libcharon/tests/libcharon_tests.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(mem_pool_suite_create)
diff --git a/src/libcharon/tests/suites/test_mem_pool.c b/src/libcharon/tests/suites/test_mem_pool.c
new file mode 100644
index 000000000..4204d4bab
--- /dev/null
+++ b/src/libcharon/tests/suites/test_mem_pool.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <attributes/mem_pool.h>
+
+static void assert_host(char *expected, host_t *host)
+{
+	if (!expected)
+	{
+		ck_assert_msg(!host, "not epxecting IP != %+H", host);
+	}
+	else
+	{
+		host_t *verifier;
+		verifier = host_create_from_string(expected, 0);
+		ck_assert_msg(host, "expected IP %+H != NULL", verifier);
+		ck_assert_msg(verifier->ip_equals(verifier, host), "expected IP %+H != "
+					  "%+H", verifier, host);;
+		verifier->destroy(verifier);
+	}
+}
+
+static void assert_acquire(mem_pool_t *pool, char *requested, char *expected,
+						   mem_pool_op_t operation)
+{
+	identification_t *id;
+	host_t *req, *acquired;
+
+	id = identification_create_from_string("tester");
+	req = host_create_from_string(requested, 0);
+
+	acquired = pool->acquire_address(pool, id, req, operation, NULL);
+	assert_host(expected, acquired);
+	DESTROY_IF(acquired);
+
+	req->destroy(req);
+	id->destroy(id);
+}
+
+static void assert_acquires_new(mem_pool_t *pool, char *pattern, int first)
+{
+	char expected[16];
+	int i;
+
+	for (i = 0; i < pool->get_size(pool); i++)
+	{
+		snprintf(expected, sizeof(expected), pattern, first + i);
+		assert_acquire(pool, "0.0.0.0", expected, MEM_POOL_NEW);
+		ck_assert_int_eq(i + 1, pool->get_online(pool));
+	}
+	assert_acquire(pool, "0.0.0.0", NULL, MEM_POOL_NEW);
+}
+
+START_TEST(test_config)
+{
+	mem_pool_t *pool;
+
+	pool = mem_pool_create("test", NULL, 0);
+	ck_assert_int_eq(0, pool->get_size(pool));
+	assert_acquire(pool, "192.168.0.1", "192.168.0.1", MEM_POOL_NEW);
+	assert_acquire(pool, "10.0.1.1", "10.0.1.1", MEM_POOL_NEW);
+	assert_acquire(pool, "0.0.0.0", "0.0.0.0", MEM_POOL_NEW);
+	assert_acquire(pool, "255.255.255.255", "255.255.255.255", MEM_POOL_NEW);
+	ck_assert_int_eq(0, pool->get_online(pool));
+	pool->destroy(pool);
+}
+END_TEST
+
+START_TEST(test_cidr)
+{
+	mem_pool_t *pool;
+	host_t *base;
+
+	base = host_create_from_string("192.168.0.0", 0);
+
+	pool = mem_pool_create("test", base, 32);
+	ck_assert_int_eq(1, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 0);
+	pool->destroy(pool);
+
+	pool = mem_pool_create("test", base, 31);
+	ck_assert_int_eq(2, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 0);
+	pool->destroy(pool);
+
+	pool = mem_pool_create("test", base, 30);
+	ck_assert_int_eq(2, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 1);
+	pool->destroy(pool);
+
+	pool = mem_pool_create("test", base, 29);
+	ck_assert_int_eq(6, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 1);
+	pool->destroy(pool);
+
+	pool = mem_pool_create("test", base, 24);
+	ck_assert_int_eq(254, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 1);
+	pool->destroy(pool);
+
+	base->destroy(base);
+}
+END_TEST
+
+START_TEST(test_cidr_offset)
+{
+	mem_pool_t *pool;
+	host_t *base;
+
+	base = host_create_from_string("192.168.0.1", 0);
+	pool = mem_pool_create("test", base, 31);
+	ck_assert_int_eq(1, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 1);
+	pool->destroy(pool);
+
+	pool = mem_pool_create("test", base, 30);
+	ck_assert_int_eq(2, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 1);
+	pool->destroy(pool);
+	base->destroy(base);
+
+	base = host_create_from_string("192.168.0.2", 0);
+	pool = mem_pool_create("test", base, 30);
+	ck_assert_int_eq(1, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 2);
+	pool->destroy(pool);
+
+	pool = mem_pool_create("test", base, 24);
+	ck_assert_int_eq(253, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 2);
+	pool->destroy(pool);
+	base->destroy(base);
+
+	base = host_create_from_string("192.168.0.254", 0);
+	pool = mem_pool_create("test", base, 24);
+	ck_assert_int_eq(1, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 254);
+	pool->destroy(pool);
+	base->destroy(base);
+
+	/* due to size == 0 we get the requested IP back */
+	base = host_create_from_string("192.168.0.255", 0);
+	pool = mem_pool_create("test", base, 24);
+	ck_assert_int_eq(0, pool->get_size(pool));
+	assert_acquire(pool, "192.168.0.1", "192.168.0.1", MEM_POOL_NEW);
+	pool->destroy(pool);
+
+	base->destroy(base);
+}
+END_TEST
+
+START_TEST(test_range)
+{
+	mem_pool_t *pool;
+	host_t *from, *to;
+
+	from = host_create_from_string("192.168.0.0", 0);
+	to = host_create_from_string("192.168.0.0", 0);
+	pool = mem_pool_create_range("test", from, to);
+	ck_assert_int_eq(1, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 0);
+	pool->destroy(pool);
+
+	to->destroy(to);
+	to = host_create_from_string("192.168.0.1", 0);
+	pool = mem_pool_create_range("test", from, to);
+	ck_assert_int_eq(2, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 0);
+	pool->destroy(pool);
+
+	from->destroy(from);
+	from = host_create_from_string("192.168.0.10", 0);
+	pool = mem_pool_create_range("test", from, to);
+	ck_assert(!pool);
+
+	to->destroy(to);
+	to = host_create_from_string("192.168.0.20", 0);
+	pool = mem_pool_create_range("test", from, to);
+	ck_assert_int_eq(11, pool->get_size(pool));
+	assert_acquires_new(pool, "192.168.0.%d", 10);
+	pool->destroy(pool);
+
+	from->destroy(from);
+	from = host_create_from_string("fec::1", 0);
+	to->destroy(to);
+	to = host_create_from_string("fed::1", 0);
+	pool = mem_pool_create_range("test", from, to);
+	ck_assert(!pool);
+
+	from->destroy(from);
+	to->destroy(to);
+}
+END_TEST
+
+Suite *mem_pool_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("mem_pool");
+
+	tc = tcase_create("%config-like pool");
+	tcase_add_test(tc, test_config);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("cidr constructor");
+	tcase_add_test(tc, test_cidr);
+	tcase_add_test(tc, test_cidr_offset);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("range constructor");
+	tcase_add_test(tc, test_range);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index f0e9cbe35..6a3a4ebd5 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index ff134da7b..af39f04ec 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -4,10 +4,6 @@ include $(CLEAR_VARS)
 # copy-n-paste from Makefile.am
 libhydra_la_SOURCES := \
 hydra.c hydra.h \
-attributes/attributes.c attributes/attributes.h \
-attributes/attribute_provider.h attributes/attribute_handler.h \
-attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h \
 kernel/kernel_interface.c kernel/kernel_interface.h \
 kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
 kernel/kernel_net.c kernel/kernel_net.h \
@@ -17,8 +13,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libhydra_la_SOURCES))
 
 # adding the plugin source files
 
-LOCAL_SRC_FILES += $(call add_plugin, attr)
-
 LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
 
 LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
@@ -42,4 +36,3 @@ LOCAL_PRELINK_MODULE := false
 LOCAL_SHARED_LIBRARIES += libstrongswan
 
 include $(BUILD_SHARED_LIBRARY)
-
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
index 510f2a124..9cdbc0147 100644
--- a/src/libhydra/Makefile.am
+++ b/src/libhydra/Makefile.am
@@ -2,10 +2,6 @@ ipseclib_LTLIBRARIES = libhydra.la
 
 libhydra_la_SOURCES = \
 hydra.c hydra.h \
-attributes/attributes.c attributes/attributes.h \
-attributes/attribute_provider.h attributes/attribute_handler.h \
-attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h \
 kernel/kernel_interface.c kernel/kernel_interface.h \
 kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
 kernel/kernel_net.c kernel/kernel_net.h \
@@ -37,20 +33,6 @@ else
 SUBDIRS = .
 endif
 
-if USE_ATTR
-  SUBDIRS += plugins/attr
-if MONOLITHIC
-  libhydra_la_LIBADD += plugins/attr/libstrongswan-attr.la
-endif
-endif
-
-if USE_ATTR_SQL
-  SUBDIRS += plugins/attr_sql
-if MONOLITHIC
-  libhydra_la_LIBADD += plugins/attr_sql/libstrongswan-attr-sql.la
-endif
-endif
-
 if USE_KERNEL_PFKEY
   SUBDIRS += plugins/kernel_pfkey
 if MONOLITHIC
@@ -72,9 +54,7 @@ if MONOLITHIC
 endif
 endif
 
-if USE_RESOLVE
-  SUBDIRS += plugins/resolve
 if MONOLITHIC
-  libhydra_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
-endif
+  SUBDIRS += .
 endif
+SUBDIRS += tests
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index e3ff1981c..9bb2e839a 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -79,18 +79,12 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 @USE_WINDOWS_TRUE@am__append_1 = -lws2_32
-@USE_ATTR_TRUE@am__append_2 = plugins/attr
-@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_3 = plugins/attr/libstrongswan-attr.la
-@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql
-@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_5 = plugins/attr_sql/libstrongswan-attr-sql.la
-@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey
-@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-@USE_KERNEL_PFROUTE_TRUE@am__append_8 = plugins/kernel_pfroute
-@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-@USE_KERNEL_NETLINK_TRUE@am__append_10 = plugins/kernel_netlink
-@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_11 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-@USE_RESOLVE_TRUE@am__append_12 = plugins/resolve
-@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_13 = plugins/resolve/libstrongswan-resolve.la
+@USE_KERNEL_PFKEY_TRUE@am__append_2 = plugins/kernel_pfkey
+@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_3 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+@USE_KERNEL_PFROUTE_TRUE@am__append_4 = plugins/kernel_pfroute
+@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_5 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+@USE_KERNEL_NETLINK_TRUE@am__append_6 = plugins/kernel_netlink
+@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_7 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
 subdir = src/libhydra
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -144,13 +138,10 @@ am__DEPENDENCIES_1 =
 libhydra_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1) $(am__append_3) $(am__append_5) \
-	$(am__append_7) $(am__append_9) $(am__append_11) \
-	$(am__append_13)
+	$(am__append_7)
 am__dirstamp = $(am__leading_dot)dirstamp
-am_libhydra_la_OBJECTS = hydra.lo attributes/attributes.lo \
-	attributes/attribute_manager.lo attributes/mem_pool.lo \
-	kernel/kernel_interface.lo kernel/kernel_ipsec.lo \
-	kernel/kernel_net.lo
+am_libhydra_la_OBJECTS = hydra.lo kernel/kernel_interface.lo \
+	kernel/kernel_ipsec.lo kernel/kernel_net.lo
 libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -232,8 +223,8 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/kernel_pfkey \
-	plugins/kernel_pfroute plugins/kernel_netlink plugins/resolve
+DIST_SUBDIRS = . plugins/kernel_pfkey plugins/kernel_pfroute \
+	plugins/kernel_netlink tests
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -285,6 +276,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -345,10 +337,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -422,6 +416,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -483,10 +479,6 @@ xml_LIBS = @xml_LIBS@
 ipseclib_LTLIBRARIES = libhydra.la
 libhydra_la_SOURCES = \
 hydra.c hydra.h \
-attributes/attributes.c attributes/attributes.h \
-attributes/attribute_provider.h attributes/attribute_handler.h \
-attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h \
 kernel/kernel_interface.c kernel/kernel_interface.h \
 kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
 kernel/kernel_net.c kernel/kernel_net.h \
@@ -495,8 +487,7 @@ kernel/kernel_listener.h
 libhydra_la_LIBADD =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__append_1) $(am__append_3) $(am__append_5) \
-	$(am__append_7) $(am__append_9) $(am__append_11) \
-	$(am__append_13)
+	$(am__append_7)
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
@@ -507,14 +498,12 @@ AM_LDFLAGS = \
 
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_2) $(am__append_4) \
-@MONOLITHIC_FALSE@	$(am__append_6) $(am__append_8) \
-@MONOLITHIC_FALSE@	$(am__append_10) $(am__append_12)
+@MONOLITHIC_FALSE@	$(am__append_6) tests
 
 # build optional plugins
 ########################
 @MONOLITHIC_TRUE@SUBDIRS = $(am__append_2) $(am__append_4) \
-@MONOLITHIC_TRUE@	$(am__append_6) $(am__append_8) \
-@MONOLITHIC_TRUE@	$(am__append_10) $(am__append_12)
+@MONOLITHIC_TRUE@	$(am__append_6) . tests
 all: all-recursive
 
 .SUFFIXES:
@@ -584,18 +573,6 @@ clean-ipseclibLTLIBRARIES:
 	  echo rm -f $${locs}; \
 	  rm -f $${locs}; \
 	}
-attributes/$(am__dirstamp):
-	@$(MKDIR_P) attributes
-	@: > attributes/$(am__dirstamp)
-attributes/$(DEPDIR)/$(am__dirstamp):
-	@$(MKDIR_P) attributes/$(DEPDIR)
-	@: > attributes/$(DEPDIR)/$(am__dirstamp)
-attributes/attributes.lo: attributes/$(am__dirstamp) \
-	attributes/$(DEPDIR)/$(am__dirstamp)
-attributes/attribute_manager.lo: attributes/$(am__dirstamp) \
-	attributes/$(DEPDIR)/$(am__dirstamp)
-attributes/mem_pool.lo: attributes/$(am__dirstamp) \
-	attributes/$(DEPDIR)/$(am__dirstamp)
 kernel/$(am__dirstamp):
 	@$(MKDIR_P) kernel
 	@: > kernel/$(am__dirstamp)
@@ -614,8 +591,6 @@ libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
-	-rm -f attributes/*.$(OBJEXT)
-	-rm -f attributes/*.lo
 	-rm -f kernel/*.$(OBJEXT)
 	-rm -f kernel/*.lo
 
@@ -623,9 +598,6 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attribute_manager.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attributes.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/mem_pool.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_interface.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_ipsec.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_net.Plo@am__quote@
@@ -659,7 +631,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-	-rm -rf attributes/.libs attributes/_libs
 	-rm -rf kernel/.libs kernel/_libs
 
 # This directory's subdirectories are mostly independent; you can cd
@@ -850,8 +821,6 @@ clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-	-rm -f attributes/$(DEPDIR)/$(am__dirstamp)
-	-rm -f attributes/$(am__dirstamp)
 	-rm -f kernel/$(DEPDIR)/$(am__dirstamp)
 	-rm -f kernel/$(am__dirstamp)
 
@@ -864,7 +833,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
 	mostlyclean-am
 
 distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) attributes/$(DEPDIR) kernel/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) kernel/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -910,7 +879,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) attributes/$(DEPDIR) kernel/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) kernel/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index 1b5065081..47ffb59c6 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -57,7 +57,6 @@ void libhydra_deinit()
 		return;
 	}
 
-	this->public.attributes->destroy(this->public.attributes);
 	this->public.kernel_interface->destroy(this->public.kernel_interface);
 	free(this);
 	hydra = NULL;
@@ -78,9 +77,6 @@ bool libhydra_init()
 	}
 
 	INIT(this,
-		.public = {
-			.attributes = attribute_manager_create(),
-		},
 		.ref = 1,
 	);
 	hydra = &this->public;
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index 94209ff59..b23a30584 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -16,9 +16,6 @@
 /**
  * @defgroup libhydra libhydra
  *
- * @defgroup attributes attributes
- * @ingroup libhydra
- *
  * @defgroup hkernel kernel
  * @ingroup libhydra
  *
@@ -34,7 +31,6 @@
 
 typedef struct hydra_t hydra_t;
 
-#include <attributes/attribute_manager.h>
 #include <kernel/kernel_interface.h>
 
 #include <library.h>
@@ -45,11 +41,6 @@ typedef struct hydra_t hydra_t;
 struct hydra_t {
 
 	/**
-	 * manager for payload attributes
-	 */
-	attribute_manager_t *attributes;
-
-	/**
 	 * kernel interface to communicate with kernel
 	 */
 	kernel_interface_t *kernel_interface;
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 3fa28e054..ce31bd410 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -43,6 +43,8 @@
 #include <utils/debug.h>
 #include <threading/mutex.h>
 #include <collections/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/array.h>
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
 
@@ -115,6 +117,16 @@ struct private_kernel_interface_t {
 	linked_list_t *listeners;
 
 	/**
+	 * Reqid entries indexed by reqids
+	 */
+	hashtable_t *reqids;
+
+	/**
+	 * Reqid entries indexed by traffic selectors
+	 */
+	hashtable_t *reqids_by_ts;
+
+	/**
 	 * mutex for algorithm mappings
 	 */
 	mutex_t *mutex_algs;
@@ -155,24 +167,252 @@ METHOD(kernel_interface_t, get_features, kernel_feature_t,
 
 METHOD(kernel_interface_t, get_spi, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t *spi)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
+	return this->ipsec->get_spi(this->ipsec, src, dst, protocol, spi);
 }
 
 METHOD(kernel_interface_t, get_cpi, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
+	u_int16_t *cpi)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
+	return this->ipsec->get_cpi(this->ipsec, src, dst, cpi);
+}
+
+/**
+ * Reqid mapping entry
+ */
+typedef struct {
+	/** allocated reqid */
+	u_int32_t reqid;
+	/** references to this entry */
+	u_int refs;
+	/** inbound mark used for SA */
+	mark_t mark_in;
+	/** outbound mark used for SA */
+	mark_t mark_out;
+	/** local traffic selectors */
+	array_t *local;
+	/** remote traffic selectors */
+	array_t *remote;
+} reqid_entry_t;
+
+/**
+ * Destroy a reqid mapping entry
+ */
+static void reqid_entry_destroy(reqid_entry_t *entry)
+{
+	array_destroy_offset(entry->local, offsetof(traffic_selector_t, destroy));
+	array_destroy_offset(entry->remote, offsetof(traffic_selector_t, destroy));
+	free(entry);
+}
+
+/**
+ * Hashtable hash function for reqid entries using reqid as key
+ */
+static u_int hash_reqid(reqid_entry_t *entry)
+{
+	return chunk_hash_inc(chunk_from_thing(entry->reqid),
+				chunk_hash_inc(chunk_from_thing(entry->mark_in),
+					chunk_hash(chunk_from_thing(entry->mark_out))));
+}
+
+/**
+ * Hashtable equals function for reqid entries using reqid as key
+ */
+static bool equals_reqid(reqid_entry_t *a, reqid_entry_t *b)
+{
+	return a->reqid == b->reqid &&
+		   a->mark_in.value == b->mark_in.value &&
+		   a->mark_in.mask == b->mark_in.mask &&
+		   a->mark_out.value == b->mark_out.value &&
+		   a->mark_out.mask == b->mark_out.mask;
+}
+
+/**
+ * Hash an array of traffic selectors
+ */
+static u_int hash_ts_array(array_t *array, u_int hash)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		hash = ts->hash(ts, hash);
+	}
+	enumerator->destroy(enumerator);
+
+	return hash;
+}
+
+/**
+ * Hashtable hash function for reqid entries using traffic selectors as key
+ */
+static u_int hash_reqid_by_ts(reqid_entry_t *entry)
+{
+	return hash_ts_array(entry->local, hash_ts_array(entry->remote,
+			chunk_hash_inc(chunk_from_thing(entry->mark_in),
+				chunk_hash(chunk_from_thing(entry->mark_out)))));
+}
+
+/**
+ * Compare two array with traffic selectors for equality
+ */
+static bool ts_array_equals(array_t *a, array_t *b)
+{
+	traffic_selector_t *tsa, *tsb;
+	enumerator_t *ae, *be;
+	bool equal = TRUE;
+
+	if (array_count(a) != array_count(b))
+	{
+		return FALSE;
+	}
+
+	ae = array_create_enumerator(a);
+	be = array_create_enumerator(b);
+	while (equal && ae->enumerate(ae, &tsa) && be->enumerate(be, &tsb))
+	{
+		equal = tsa->equals(tsa, tsb);
+	}
+	ae->destroy(ae);
+	be->destroy(be);
+
+	return equal;
+}
+
+/**
+ * Hashtable equals function for reqid entries using traffic selectors as key
+ */
+static bool equals_reqid_by_ts(reqid_entry_t *a, reqid_entry_t *b)
+{
+	return ts_array_equals(a->local, b->local) &&
+		   ts_array_equals(a->remote, b->remote) &&
+		   a->mark_in.value == b->mark_in.value &&
+		   a->mark_in.mask == b->mark_in.mask &&
+		   a->mark_out.value == b->mark_out.value &&
+		   a->mark_out.mask == b->mark_out.mask;
+}
+
+/**
+ * Create an array from copied traffic selector list items
+ */
+static array_t *array_from_ts_list(linked_list_t *list)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+	array_t *array;
+
+	array = array_create(0, 0);
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		array_insert(array, ARRAY_TAIL, ts->clone(ts));
+	}
+	enumerator->destroy(enumerator);
+
+	return array;
+}
+
+METHOD(kernel_interface_t, alloc_reqid, status_t,
+	private_kernel_interface_t *this,
+	linked_list_t *local_ts, linked_list_t *remote_ts,
+	mark_t mark_in, mark_t mark_out, u_int32_t *reqid)
+{
+	static u_int32_t counter = 0;
+	reqid_entry_t *entry = NULL, *tmpl;
+	status_t status = SUCCESS;
+
+	INIT(tmpl,
+		.local = array_from_ts_list(local_ts),
+		.remote = array_from_ts_list(remote_ts),
+		.mark_in = mark_in,
+		.mark_out = mark_out,
+		.reqid = *reqid,
+	);
+
+	this->mutex->lock(this->mutex);
+	if (tmpl->reqid)
+	{
+		/* search by reqid if given */
+		entry = this->reqids->get(this->reqids, tmpl);
+	}
+	if (entry)
+	{
+		/* we don't require a traffic selector match for explicit reqids,
+		 * as we wan't to reuse a reqid for trap-triggered policies that
+		 * got narrowed during negotiation. */
+		reqid_entry_destroy(tmpl);
+	}
+	else
+	{
+		/* search by traffic selectors */
+		entry = this->reqids_by_ts->get(this->reqids_by_ts, tmpl);
+		if (entry)
+		{
+			reqid_entry_destroy(tmpl);
+		}
+		else
+		{
+			/* none found, create a new entry, allocating a reqid */
+			entry = tmpl;
+			entry->reqid = ++counter;
+			this->reqids_by_ts->put(this->reqids_by_ts, entry, entry);
+			this->reqids->put(this->reqids, entry, entry);
+		}
+		*reqid = entry->reqid;
+	}
+	entry->refs++;
+	this->mutex->unlock(this->mutex);
+
+	return status;
+}
+
+METHOD(kernel_interface_t, release_reqid, status_t,
+	private_kernel_interface_t *this, u_int32_t reqid,
+	mark_t mark_in, mark_t mark_out)
+{
+	reqid_entry_t *entry, tmpl = {
+		.reqid = reqid,
+		.mark_in = mark_in,
+		.mark_out = mark_out,
+	};
+
+	this->mutex->lock(this->mutex);
+	entry = this->reqids->remove(this->reqids, &tmpl);
+	if (entry)
+	{
+		if (--entry->refs == 0)
+		{
+			entry = this->reqids_by_ts->remove(this->reqids_by_ts, entry);
+			if (entry)
+			{
+				reqid_entry_destroy(entry);
+			}
+		}
+		else
+		{
+			this->reqids->put(this->reqids, entry, entry);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (entry)
+	{
+		return SUCCESS;
+	}
+	return NOT_FOUND;
 }
 
 METHOD(kernel_interface_t, add_sa, status_t,
@@ -181,8 +421,8 @@ METHOD(kernel_interface_t, add_sa, status_t,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	bool initiator, bool encap, bool esn, bool inbound, bool update,
+	linked_list_t *src_ts, linked_list_t *dst_ts)
 {
 	if (!this->ipsec)
 	{
@@ -191,7 +431,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
 	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
 				mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
 				ipcomp, cpi, replay_window, initiator, encap, esn, inbound,
-				src_ts, dst_ts);
+				update, src_ts, dst_ts);
 }
 
 METHOD(kernel_interface_t, update_sa, status_t,
@@ -575,17 +815,18 @@ METHOD(kernel_interface_t, acquire, void,
 }
 
 METHOD(kernel_interface_t, expire, void,
-	private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol,
-	u_int32_t spi, bool hard)
+	private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+	host_t *dst, bool hard)
 {
 	kernel_listener_t *listener;
 	enumerator_t *enumerator;
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &listener))
 	{
 		if (listener->expire &&
-			!listener->expire(listener, reqid, protocol, spi, hard))
+			!listener->expire(listener, protocol, spi, dst, hard))
 		{
 			this->listeners->remove_at(this->listeners, enumerator);
 		}
@@ -595,17 +836,18 @@ METHOD(kernel_interface_t, expire, void,
 }
 
 METHOD(kernel_interface_t, mapping, void,
-	private_kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
-	host_t *remote)
+	private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+	host_t *dst, host_t *remote)
 {
 	kernel_listener_t *listener;
 	enumerator_t *enumerator;
+
 	this->mutex->lock(this->mutex);
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &listener))
 	{
 		if (listener->mapping &&
-			!listener->mapping(listener, reqid, spi, remote))
+			!listener->mapping(listener, protocol, spi, dst, remote))
 		{
 			this->listeners->remove_at(this->listeners, enumerator);
 		}
@@ -733,6 +975,8 @@ METHOD(kernel_interface_t, destroy, void,
 	DESTROY_IF(this->ipsec);
 	DESTROY_IF(this->net);
 	DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
+	this->reqids->destroy(this->reqids);
+	this->reqids_by_ts->destroy(this->reqids_by_ts);
 	this->listeners->destroy(this->listeners);
 	this->mutex->destroy(this->mutex);
 	free(this);
@@ -751,6 +995,8 @@ kernel_interface_t *kernel_interface_create()
 			.get_features = _get_features,
 			.get_spi = _get_spi,
 			.get_cpi = _get_cpi,
+			.alloc_reqid = _alloc_reqid,
+			.release_reqid = _release_reqid,
 			.add_sa = _add_sa,
 			.update_sa = _update_sa,
 			.query_sa = _query_sa,
@@ -795,6 +1041,10 @@ kernel_interface_t *kernel_interface_create()
 		.listeners = linked_list_create(),
 		.mutex_algs = mutex_create(MUTEX_TYPE_DEFAULT),
 		.algorithms = linked_list_create(),
+		.reqids = hashtable_create((hashtable_hash_t)hash_reqid,
+								   (hashtable_equals_t)equals_reqid, 8),
+		.reqids_by_ts = hashtable_create((hashtable_hash_t)hash_reqid_by_ts,
+								   (hashtable_equals_t)equals_reqid_by_ts, 8),
 	);
 
 	ifaces = lib->settings->get_str(lib->settings,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index cd550383c..96ce9e26d 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -104,39 +104,67 @@ struct kernel_interface_t {
 	 * @param src		source address of SA
 	 * @param dst		destination address of SA
 	 * @param protocol	protocol for SA (ESP/AH)
-	 * @param reqid		unique ID for this SA
 	 * @param spi		allocated spi
-	 * @return				SUCCESS if operation completed
+	 * @return			SUCCESS if operation completed
 	 */
 	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+						u_int8_t protocol, u_int32_t *spi);
 
 	/**
 	 * Get a Compression Parameter Index (CPI) from the kernel.
 	 *
 	 * @param src		source address of SA
 	 * @param dst		destination address of SA
-	 * @param reqid		unique ID for the corresponding SA
 	 * @param cpi		allocated cpi
-	 * @return				SUCCESS if operation completed
+	 * @return			SUCCESS if operation completed
 	 */
 	status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi);
+						u_int16_t *cpi);
+
+	/**
+	 * Allocate or confirm a reqid to use for a given SA pair.
+	 *
+	 * Each returned reqid by a successful call to alloc_reqid() must be
+	 * released using release_reqid().
+	 *
+	 * The reqid parameter is an in/out parameter. If it points to non-zero,
+	 * the reqid is confirmed and registered for use. If it points to zero,
+	 * a reqid is allocated for the given selectors, and returned to reqid.
+	 *
+	 * @param local_ts	traffic selectors of local side for SA
+	 * @param remote_ts	traffic selectors of remote side for SA
+	 * @param mark_in	inbound mark on SA
+	 * @param mark_out	outbound mark on SA
+	 * @param reqid		allocated reqid
+	 * @return			SUCCESS if reqid allocated
+	 */
+	status_t (*alloc_reqid)(kernel_interface_t *this,
+							linked_list_t *local_ts, linked_list_t *remote_ts,
+							mark_t mark_in, mark_t mark_out,
+							u_int32_t *reqid);
+
+	/**
+	 * Release a previously allocated reqid.
+	 *
+	 * @param reqid		reqid to release
+	 * @param mark_in	inbound mark on SA
+	 * @param mark_out	outbound mark on SA
+	 * @return			SUCCESS if reqid released
+	 */
+	status_t (*release_reqid)(kernel_interface_t *this, u_int32_t reqid,
+							  mark_t mark_in, mark_t mark_out);
 
 	/**
 	 * Add an SA to the SAD.
 	 *
-	 * add_sa() may update an already allocated
-	 * SPI (via get_spi). In this case, the replace
-	 * flag must be set.
-	 * This function does install a single SA for a
-	 * single protocol in one direction.
+	 * This function does install a single SA for a single protocol in one
+	 * direction.
 	 *
 	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param reqid			unique ID for this SA
+	 * @param reqid			reqid for this SA
 	 * @param mark			optional mark for this SA
 	 * @param tfc			Traffic Flow Confidentiality padding for this SA
 	 * @param lifetime		lifetime_cfg_t for this SA
@@ -152,8 +180,9 @@ struct kernel_interface_t {
 	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param esn			TRUE to use Extended Sequence Numbers
 	 * @param inbound		TRUE if this is an inbound SA
-	 * @param src_ts		traffic selector with BEET source address
-	 * @param dst_ts		traffic selector with BEET destination address
+	 * @param update		TRUE if an SPI has already been allocated for SA
+	 * @param src_ts		list of source traffic selectors
+	 * @param dst_ts		list of destination traffic selectors
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_sa) (kernel_interface_t *this,
@@ -163,9 +192,9 @@ struct kernel_interface_t {
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						u_int32_t replay_window,
-						bool initiator, bool encap, bool esn, bool inbound,
-						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+						u_int32_t replay_window, bool initiator, bool encap,
+						bool esn, bool inbound, bool update,
+						linked_list_t *src_ts, linked_list_t *dst_ts);
 
 	/**
 	 * Update the hosts on an installed SA.
@@ -531,23 +560,24 @@ struct kernel_interface_t {
 	/**
 	 * Raise an expire event.
 	 *
-	 * @param reqid			reqid of the expired SA
 	 * @param protocol		protocol of the expired SA
 	 * @param spi			spi of the expired SA
+	 * @param dst			destination address of expired SA
 	 * @param hard			TRUE if it is a hard expire, FALSE otherwise
 	 */
-	void (*expire)(kernel_interface_t *this, u_int32_t reqid,
-				   u_int8_t protocol, u_int32_t spi, bool hard);
+	void (*expire)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+				   host_t *dst, bool hard);
 
 	/**
 	 * Raise a mapping event.
 	 *
-	 * @param reqid			reqid of the SA
+	 * @param protocol		protocol of affected SA
 	 * @param spi			spi of the SA
+	 * @param dst			original destination address of SA
 	 * @param remote		new remote host
 	 */
-	void (*mapping)(kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
-					host_t *remote);
+	void (*mapping)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+					host_t *dst, host_t *remote);
 
 	/**
 	 * Raise a migrate event.
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index eec7401e9..19caaa400 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -58,33 +58,28 @@ struct kernel_ipsec_t {
 	 * @param src		source address of SA
 	 * @param dst		destination address of SA
 	 * @param protocol	protocol for SA (ESP/AH)
-	 * @param reqid		unique ID for this SA
 	 * @param spi		allocated spi
-	 * @return				SUCCESS if operation completed
+	 * @return			SUCCESS if operation completed
 	 */
 	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+						u_int8_t protocol, u_int32_t *spi);
 
 	/**
 	 * Get a Compression Parameter Index (CPI) from the kernel.
 	 *
 	 * @param src		source address of SA
 	 * @param dst		destination address of SA
-	 * @param reqid		unique ID for the corresponding SA
 	 * @param cpi		allocated cpi
-	 * @return				SUCCESS if operation completed
+	 * @return			SUCCESS if operation completed
 	 */
 	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int32_t reqid, u_int16_t *cpi);
+						u_int16_t *cpi);
 
 	/**
 	 * Add an SA to the SAD.
 	 *
-	 * add_sa() may update an already allocated
-	 * SPI (via get_spi). In this case, the replace
-	 * flag must be set.
-	 * This function does install a single SA for a
-	 * single protocol in one direction.
+	 * This function does install a single SA for a single protocol in one
+	 * direction.
 	 *
 	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
@@ -106,8 +101,9 @@ struct kernel_ipsec_t {
 	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param esn			TRUE to use Extended Sequence Numbers
 	 * @param inbound		TRUE if this is an inbound SA
-	 * @param src_ts		traffic selector with BEET source address
-	 * @param dst_ts		traffic selector with BEET destination address
+	 * @param update		TRUE if an SPI has already been allocated for SA
+	 * @param src_ts		list of source traffic selectors
+	 * @param dst_ts		list of destination traffic selectors
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_sa) (kernel_ipsec_t *this,
@@ -117,9 +113,9 @@ struct kernel_ipsec_t {
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						u_int32_t replay_window,
-						bool initiator, bool encap, bool esn, bool inbound,
-						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+						u_int32_t replay_window, bool initiator, bool encap,
+						bool esn, bool inbound, bool update,
+						linked_list_t *src_ts, linked_list_t *dst_ts);
 
 	/**
 	 * Update the hosts on an installed SA.
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
index 4382a43fd..8074356a4 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -49,25 +49,26 @@ struct kernel_listener_t {
 	/**
 	 * Hook called if an exire event for an IPsec SA is received.
 	 *
-	 * @param reqid			reqid of the expired SA
 	 * @param protocol		protocol of the expired SA
 	 * @param spi			spi of the expired SA
+	 * @param dst			destination address of expired SA
 	 * @param hard			TRUE if it is a hard expire, FALSE otherwise
 	 * @return				TRUE to remain registered, FALSE to unregister
 	 */
-	bool (*expire)(kernel_listener_t *this, u_int32_t reqid,
-				   u_int8_t protocol, u_int32_t spi, bool hard);
+	bool (*expire)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi,
+				   host_t *dst, bool hard);
 
 	/**
 	 * Hook called if the NAT mappings of an IPsec SA changed.
 	 *
-	 * @param reqid			reqid of the SA
+	 * @param protocol		IPsec protocol of affected SA
 	 * @param spi			spi of the SA
+	 * @param dst			old destinatino address of SA
 	 * @param remote		new remote host
 	 * @return				TRUE to remain registered, FALSE to unregister
 	 */
-	bool (*mapping)(kernel_listener_t *this, u_int32_t reqid, u_int32_t spi,
-					host_t *remote);
+	bool (*mapping)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi,
+					host_t *dst, host_t *remote);
 
 	/**
 	 * Hook called if a migrate event for a policy is received.
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.am b/src/libhydra/plugins/kernel_netlink/Makefile.am
index c91f9a9e4..cc8855406 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.am
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.am
@@ -21,3 +21,24 @@ libstrongswan_kernel_netlink_la_SOURCES = \
 	kernel_netlink_shared.h kernel_netlink_shared.c
 
 libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
+
+
+TESTS = tests
+
+check_PROGRAMS = $(TESTS)
+
+tests_SOURCES = \
+	tests.h tests.c \
+	suites/test_socket.c \
+	kernel_netlink_shared.c
+
+tests_CFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	-DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \
+	@COVERAGE_CFLAGS@
+
+tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tests_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index a9b523eb8..962fe1ba1 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -78,6 +78,8 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+TESTS = tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
 subdir = src/libhydra/plugins/kernel_netlink
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -144,6 +146,18 @@ libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 @MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath =
+am__EXEEXT_1 = tests$(EXEEXT)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_tests_OBJECTS = tests-tests.$(OBJEXT) \
+	suites/tests-test_socket.$(OBJEXT) \
+	tests-kernel_netlink_shared.$(OBJEXT)
+tests_OBJECTS = $(am_tests_OBJECTS)
+tests_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \
+	$(tests_LDFLAGS) $(LDFLAGS) -o $@
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -178,8 +192,9 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) $(tests_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) \
+	$(tests_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -204,6 +219,28 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -230,6 +267,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +328,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +407,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -444,6 +486,22 @@ libstrongswan_kernel_netlink_la_SOURCES = \
 	kernel_netlink_shared.h kernel_netlink_shared.c
 
 libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
+tests_SOURCES = \
+	tests.h tests.c \
+	suites/test_socket.c \
+	kernel_netlink_shared.c
+
+tests_CFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	-DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \
+	@COVERAGE_CFLAGS@
+
+tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tests_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+
 all: all-am
 
 .SUFFIXES:
@@ -528,8 +586,30 @@ clean-pluginLTLIBRARIES:
 libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_netlink_la_DEPENDENCIES) 
 	$(AM_V_CCLD)$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
 
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+suites/$(am__dirstamp):
+	@$(MKDIR_P) suites
+	@: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) suites/$(DEPDIR)
+	@: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+
+tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES) 
+	@rm -f tests$(EXEEXT)
+	$(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS)
+
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
+	-rm -f suites/*.$(OBJEXT)
 
 distclean-compile:
 	-rm -f *.tab.c
@@ -538,6 +618,9 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-kernel_netlink_shared.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_socket.Po@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -563,6 +646,48 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
+tests-tests.o: tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c
+
+tests-tests.obj: tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi`
+
+suites/tests-test_socket.o: suites/test_socket.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+
+suites/tests-test_socket.obj: suites/test_socket.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+
+tests-kernel_netlink_shared.o: kernel_netlink_shared.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.o -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c
+
+tests-kernel_netlink_shared.obj: kernel_netlink_shared.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.obj -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi`
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -621,6 +746,99 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -652,6 +870,8 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
 check: check-am
 all-am: Makefile $(LTLIBRARIES)
 installdirs:
@@ -684,17 +904,19 @@ clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f suites/$(DEPDIR)/$(am__dirstamp)
+	-rm -f suites/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -740,7 +962,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
@@ -759,22 +981,23 @@ ps-am:
 
 uninstall-am: uninstall-pluginLTLIBRARIES
 
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	cscopelist-am ctags ctags-am distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man install-pdf \
-	install-pdf-am install-pluginLTLIBRARIES install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
-	uninstall-am uninstall-pluginLTLIBRARIES
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+	clean-checkPROGRAMS clean-generic clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES cscopelist-am \
+	ctags ctags-am distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index dfd71f3bd..03e44e510 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -38,6 +38,7 @@
 #include <hydra.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
+#include <collections/array.h>
 #include <collections/hashtable.h>
 #include <collections/linked_list.h>
 
@@ -319,6 +320,16 @@ struct private_kernel_netlink_ipsec_t {
 	 * Whether to track the history of a policy
 	 */
 	bool policy_history;
+
+	/**
+	 * Whether to always use UPDATE to install policies
+	 */
+	bool policy_update;
+
+	/**
+	 * Installed port based IKE bypass policies, as bypass_t
+	 */
+	array_t *bypass;
 };
 
 typedef struct route_entry_t route_entry_t;
@@ -859,25 +870,26 @@ static void process_expire(private_kernel_netlink_ipsec_t *this,
 						   struct nlmsghdr *hdr)
 {
 	struct xfrm_user_expire *expire;
-	u_int32_t spi, reqid;
+	u_int32_t spi;
 	u_int8_t protocol;
+	host_t *dst;
 
 	expire = NLMSG_DATA(hdr);
 	protocol = expire->state.id.proto;
 	spi = expire->state.id.spi;
-	reqid = expire->state.reqid;
 
 	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
 
-	if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
+	if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
 	{
-		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
-					  "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
-		return;
+		dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
+		if (dst)
+		{
+			hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+											spi, dst, expire->hard != 0);
+			dst->destroy(dst);
+		}
 	}
-
-	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
-									spi, expire->hard != 0);
 }
 
 /**
@@ -961,23 +973,29 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 							struct nlmsghdr *hdr)
 {
 	struct xfrm_user_mapping *mapping;
-	u_int32_t spi, reqid;
+	u_int32_t spi;
 
 	mapping = NLMSG_DATA(hdr);
 	spi = mapping->id.spi;
-	reqid = mapping->reqid;
 
 	DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
 
 	if (mapping->id.proto == IPPROTO_ESP)
 	{
-		host_t *host;
-		host = xfrm2host(mapping->id.family, &mapping->new_saddr,
-						 mapping->new_sport);
-		if (host)
+		host_t *dst, *new;
+
+		dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0);
+		if (dst)
 		{
-			hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
-											 spi, host);
+			new = xfrm2host(mapping->id.family, &mapping->new_saddr,
+							mapping->new_sport);
+			if (new)
+			{
+				hydra->kernel_interface->mapping(hydra->kernel_interface,
+												 IPPROTO_ESP, spi, dst, new);
+				new->destroy(new);
+			}
+			dst->destroy(dst);
 		}
 	}
 }
@@ -1055,7 +1073,7 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
  */
 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 	host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-	u_int32_t reqid, u_int32_t *spi)
+	u_int32_t *spi)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out;
@@ -1075,7 +1093,6 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 	host2xfrm(dst, &userspi->info.id.daddr);
 	userspi->info.id.proto = proto;
 	userspi->info.mode = XFRM_MODE_TUNNEL;
-	userspi->info.reqid = reqid;
 	userspi->info.family = src->get_family(src);
 	userspi->min = min;
 	userspi->max = max;
@@ -1122,39 +1139,35 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t *spi)
 {
-	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
 	if (get_spi_internal(this, src, dst, protocol,
-						 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+						 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
+		DBG1(DBG_KNL, "unable to get SPI");
 		return FAILED;
 	}
 
-	DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+	DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
+	u_int16_t *cpi)
 {
 	u_int32_t received_spi = 0;
 
-	DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
-
 	if (get_spi_internal(this, src, dst, IPPROTO_COMP,
-						 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+						 0x100, 0xEFFF, &received_spi) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
+		DBG1(DBG_KNL, "unable to get CPI");
 		return FAILED;
 	}
 
 	*cpi = htons((u_int16_t)ntohl(received_spi));
 
-	DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
+	DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
 	return SUCCESS;
 }
 
@@ -1184,8 +1197,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+	bool initiator, bool encap, bool esn, bool inbound, bool update,
+	linked_list_t* src_ts, linked_list_t* dst_ts)
 {
 	netlink_buf_t request;
 	char *alg_name;
@@ -1193,6 +1206,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	struct xfrm_usersa_info *sa;
 	u_int16_t icv_size = 64;
 	ipsec_mode_t original_mode = mode;
+	traffic_selector_t *first_src_ts, *first_dst_ts;
 	status_t status = FAILED;
 
 	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
@@ -1203,7 +1217,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
 			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
 			   chunk_empty, mode, ipcomp, 0, 0, initiator, FALSE, FALSE,
-			   inbound, src_ts, dst_ts);
+			   inbound, update, src_ts, dst_ts);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
@@ -1216,7 +1230,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
 	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+	hdr->nlmsg_type = update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
 
 	sa = NLMSG_DATA(hdr);
@@ -1238,9 +1252,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 				 * selector can be installed other traffic would get dropped */
 				break;
 			}
-			if (src_ts && dst_ts)
+			if (src_ts->get_first(src_ts, (void**)&first_src_ts) == SUCCESS &&
+				dst_ts->get_first(dst_ts, (void**)&first_dst_ts) == SUCCESS)
 			{
-				sa->sel = ts2selector(src_ts, dst_ts);
+				sa->sel = ts2selector(first_src_ts, first_dst_ts);
 				if (!this->proto_port_transport)
 				{
 					/* don't install proto/port on SA. This would break
@@ -1535,7 +1550,8 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 							 host_t *dst, mark_t mark,
 							 struct xfrm_replay_state_esn **replay_esn,
 							 u_int32_t *replay_esn_len,
-							 struct xfrm_replay_state **replay)
+							 struct xfrm_replay_state **replay,
+							 struct xfrm_lifetime_cur **lifetime)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out = NULL;
@@ -1603,20 +1619,27 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 		rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
 		while (RTA_OK(rta, rtasize))
 		{
+			if (rta->rta_type == XFRMA_LTIME_VAL &&
+				RTA_PAYLOAD(rta) == sizeof(**lifetime))
+			{
+				free(*lifetime);
+				*lifetime = malloc(RTA_PAYLOAD(rta));
+				memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta));
+			}
 			if (rta->rta_type == XFRMA_REPLAY_VAL &&
 				RTA_PAYLOAD(rta) == sizeof(**replay))
 			{
+				free(*replay);
 				*replay = malloc(RTA_PAYLOAD(rta));
 				memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
-				break;
 			}
 			if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
 				RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
 			{
+				free(*replay_esn);
 				*replay_esn = malloc(RTA_PAYLOAD(rta));
 				*replay_esn_len = RTA_PAYLOAD(rta);
 				memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
-				break;
 			}
 			rta = RTA_NEXT(rta, rtasize);
 		}
@@ -1798,6 +1821,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	struct xfrm_encap_tmpl* tmpl = NULL;
 	struct xfrm_replay_state *replay = NULL;
 	struct xfrm_replay_state_esn *replay_esn = NULL;
+	struct xfrm_lifetime_cur *lifetime = NULL;
 	u_int32_t replay_esn_len;
 	status_t status = FAILED;
 
@@ -1863,7 +1887,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		goto failed;
 	}
 
-	get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay_esn_len, &replay);
+	get_replay_state(this, spi, protocol, dst, mark, &replay_esn,
+					 &replay_esn_len, &replay, &lifetime);
 
 	/* delete the old SA (without affecting the IPComp SA) */
 	if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
@@ -1952,8 +1977,25 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	}
 	else
 	{
-		DBG1(DBG_KNL, "unable to copy replay state from old SAD entry "
-					  "with SPI %.8x", ntohl(spi));
+		DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with "
+			 "SPI %.8x", ntohl(spi));
+	}
+	if (lifetime)
+	{
+		struct xfrm_lifetime_cur *state;
+
+		state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL,
+								sizeof(*state));
+		if (!state)
+		{
+			goto failed;
+		}
+		memcpy(state, lifetime, sizeof(*state));
+	}
+	else
+	{
+		DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with "
+			 "SPI %.8x", ntohl(spi));
 	}
 
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
@@ -1966,6 +2008,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 failed:
 	free(replay);
 	free(replay_esn);
+	free(lifetime);
 	memwipe(out, len);
 	memwipe(&request, sizeof(request));
 	free(out);
@@ -2313,6 +2356,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		return SUCCESS;
 	}
 
+	if (this->policy_update)
+	{
+		found = TRUE;
+	}
+
 	DBG2(DBG_KNL, "%s policy %R === %R %N  (mark %u/0x%08x)",
 				   found ? "updating" : "adding", src_ts, dst_ts,
 				   policy_dir_names, direction, mark.value, mark.mask);
@@ -2576,9 +2624,11 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
 	return SUCCESS;
 }
 
-
-METHOD(kernel_ipsec_t, bypass_socket, bool,
-	private_kernel_netlink_ipsec_t *this, int fd, int family)
+/**
+ * Bypass socket using a per-socket policy
+ */
+static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this,
+							  int fd, int family)
 {
 	struct xfrm_userpolicy_info policy;
 	u_int sol, ipsec_policy;
@@ -2618,6 +2668,154 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 	return TRUE;
 }
 
+/**
+ * Port based IKE bypass policy
+ */
+typedef struct {
+	/** address family */
+	int family;
+	/** layer 4 protocol */
+	int proto;
+	/** port number, network order */
+	u_int16_t port;
+} bypass_t;
+
+/**
+ * Add or remove a bypass policy from/to kernel
+ */
+static bool manage_bypass(private_kernel_netlink_ipsec_t *this,
+						  int type, policy_dir_t dir, bypass_t *bypass)
+{
+	netlink_buf_t request;
+	struct xfrm_selector *sel;
+	struct nlmsghdr *hdr;
+
+	memset(&request, 0, sizeof(request));
+	hdr = &request.hdr;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = type;
+
+	if (type == XFRM_MSG_NEWPOLICY)
+	{
+		struct xfrm_userpolicy_info *policy;
+
+		hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
+
+		policy = NLMSG_DATA(hdr);
+		policy->dir = dir;
+		policy->priority = 32;
+		policy->action = XFRM_POLICY_ALLOW;
+		policy->share = XFRM_SHARE_ANY;
+
+		policy->lft.soft_byte_limit = XFRM_INF;
+		policy->lft.soft_packet_limit = XFRM_INF;
+		policy->lft.hard_byte_limit = XFRM_INF;
+		policy->lft.hard_packet_limit = XFRM_INF;
+
+		sel = &policy->sel;
+	}
+	else /* XFRM_MSG_DELPOLICY */
+	{
+		struct xfrm_userpolicy_id *policy;
+
+		hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+		policy = NLMSG_DATA(hdr);
+		policy->dir = dir;
+
+		sel = &policy->sel;
+	}
+
+	sel->family = bypass->family;
+	sel->proto = bypass->proto;
+	if (dir == POLICY_IN)
+	{
+		sel->dport = bypass->port;
+		sel->dport_mask = 0xffff;
+	}
+	else
+	{
+		sel->sport = bypass->port;
+		sel->sport_mask = 0xffff;
+	}
+	return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS;
+}
+
+/**
+ * Bypass socket using a port-based bypass policy
+ */
+static bool add_port_bypass(private_kernel_netlink_ipsec_t *this,
+							int fd, int family)
+{
+	union {
+		struct sockaddr sa;
+		struct sockaddr_in in;
+		struct sockaddr_in6 in6;
+	} saddr;
+	socklen_t len;
+	bypass_t bypass = {
+		.family = family,
+	};
+
+	len = sizeof(saddr);
+	if (getsockname(fd, &saddr.sa, &len) != 0)
+	{
+		return FALSE;
+	}
+#ifdef SO_PROTOCOL /* since 2.6.32 */
+	len = sizeof(bypass.proto);
+	if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &bypass.proto, &len) != 0)
+#endif
+	{	/* assume UDP if SO_PROTOCOL not supported */
+		bypass.proto = IPPROTO_UDP;
+	}
+	switch (family)
+	{
+		case AF_INET:
+			bypass.port = saddr.in.sin_port;
+			break;
+		case AF_INET6:
+			bypass.port = saddr.in6.sin6_port;
+			break;
+		default:
+			return FALSE;
+	}
+
+	if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass))
+	{
+		return FALSE;
+	}
+	if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass))
+	{
+		manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass);
+		return FALSE;
+	}
+	array_insert(this->bypass, ARRAY_TAIL, &bypass);
+
+	return TRUE;
+}
+
+/**
+ * Remove installed port based bypass policy
+ */
+static void remove_port_bypass(bypass_t *bypass, int idx,
+							   private_kernel_netlink_ipsec_t *this)
+{
+	manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass);
+	manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass);
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_netlink_ipsec_t *this, int fd, int family)
+{
+	if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns))
+	{
+		return add_port_bypass(this, fd, family);
+	}
+	return add_socket_bypass(this, fd, family);
+}
+
 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
 	private_kernel_netlink_ipsec_t *this, int fd, int family, u_int16_t port)
 {
@@ -2637,6 +2835,8 @@ METHOD(kernel_ipsec_t, destroy, void,
 	enumerator_t *enumerator;
 	policy_entry_t *policy;
 
+	array_destroy_function(this->bypass,
+						   (array_callback_t)remove_port_bypass, this);
 	if (this->socket_xfrm_events > 0)
 	{
 		lib->watcher->remove(lib->watcher, this->socket_xfrm_events);
@@ -2688,8 +2888,11 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 									 (hashtable_equals_t)policy_equals, 32),
 		.sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
 								(hashtable_equals_t)ipsec_sa_equals, 32),
+		.bypass = array_create(sizeof(bypass_t), 0),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.policy_history = TRUE,
+		.policy_update = lib->settings->get_bool(lib->settings,
+					"%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
 		.install_routes = lib->settings->get_bool(lib->settings,
 							"%s.install_routes", TRUE, lib->ns),
 		.proto_port_transport = lib->settings->get_bool(lib->settings,
@@ -2711,7 +2914,9 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		fclose(f);
 	}
 
-	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names);
+	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
+				lib->settings->get_bool(lib->settings,
+					"%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
 	if (!this->socket_xfrm)
 	{
 		destroy(this);
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index 9d9f15974..a431e49b7 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1538,6 +1538,7 @@ typedef struct {
 	u_int8_t dst_len;
 	u_int32_t table;
 	u_int32_t oif;
+	u_int32_t priority;
 } rt_entry_t;
 
 /**
@@ -1573,6 +1574,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
 		route->dst_len = msg->rtm_dst_len;
 		route->table = msg->rtm_table;
 		route->oif = 0;
+		route->priority = 0;
 	}
 	else
 	{
@@ -1601,6 +1603,12 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
 					route->oif = *(u_int32_t*)RTA_DATA(rta);
 				}
 				break;
+			case RTA_PRIORITY:
+				if (RTA_PAYLOAD(rta) == sizeof(route->priority))
+				{
+					route->priority = *(u_int32_t*)RTA_DATA(rta);
+				}
+				break;
 #ifdef HAVE_RTA_TABLE
 			case RTA_TABLE:
 				if (RTA_PAYLOAD(rta) == sizeof(route->table))
@@ -1724,11 +1732,16 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 					}
 					route->src_host = src;
 				}
-				/* insert route, sorted by decreasing network prefix */
+				/* insert route, sorted by priority and network prefix */
 				enumerator = routes->create_enumerator(routes);
 				while (enumerator->enumerate(enumerator, &other))
 				{
-					if (route->dst_len > other->dst_len)
+					if (route->priority < other->priority)
+					{
+						break;
+					}
+					if (route->priority == other->priority &&
+						route->dst_len > other->dst_len)
 					{
 						break;
 					}
@@ -1975,6 +1988,8 @@ METHOD(kernel_net_t, add_ip, status_t,
 	if (iface)
 	{
 		addr_entry_t *addr;
+		char *ifname;
+		int ifi;
 
 		INIT(addr,
 			.ip = virtual_ip->clone(virtual_ip),
@@ -1983,26 +1998,30 @@ METHOD(kernel_net_t, add_ip, status_t,
 		);
 		iface->addrs->insert_last(iface->addrs, addr);
 		addr_map_entry_add(this->vips, addr, iface);
+		ifi = iface->ifindex;
+		this->lock->unlock(this->lock);
 		if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
-						  iface->ifindex, virtual_ip, prefix) == SUCCESS)
+						  ifi, virtual_ip, prefix) == SUCCESS)
 		{
+			this->lock->write_lock(this->lock);
 			while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
 			{	/* wait until address appears */
 				this->condvar->wait(this->condvar, this->lock);
 			}
 			if (entry)
 			{	/* we fail if the interface got deleted in the meantime */
-				DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
-					 entry->iface->ifname);
+				ifname = strdup(entry->iface->ifname);
 				this->lock->unlock(this->lock);
+				DBG2(DBG_KNL, "virtual IP %H installed on %s",
+					 virtual_ip, ifname);
 				/* during IKEv1 reauthentication, children get moved from
 				 * old the new SA before the virtual IP is available. This
 				 * kills the route for our virtual IP, reinstall. */
-				queue_route_reinstall(this, strdup(entry->iface->ifname));
+				queue_route_reinstall(this, ifname);
 				return SUCCESS;
 			}
+			this->lock->unlock(this->lock);
 		}
-		this->lock->unlock(this->lock);
 		DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
 		return FAILED;
 	}
@@ -2048,20 +2067,23 @@ METHOD(kernel_net_t, del_ip, status_t,
 	if (entry->addr->refcount == 1)
 	{
 		status_t status;
+		int ifi;
 
 		/* we set this flag so that threads calling add_ip will block and wait
 		 * until the entry is gone, also so we can wait below */
 		entry->addr->installed = FALSE;
-		status = manage_ipaddr(this, RTM_DELADDR, 0, entry->iface->ifindex,
-							   virtual_ip, prefix);
+		ifi = entry->iface->ifindex;
+		this->lock->unlock(this->lock);
+		status = manage_ipaddr(this, RTM_DELADDR, 0, ifi, virtual_ip, prefix);
 		if (status == SUCCESS && wait)
 		{	/* wait until the address is really gone */
+			this->lock->write_lock(this->lock);
 			while (is_known_vip(this, virtual_ip))
 			{
 				this->condvar->wait(this->condvar, this->lock);
 			}
+			this->lock->unlock(this->lock);
 		}
-		this->lock->unlock(this->lock);
 		return status;
 	}
 	else
@@ -2490,7 +2512,9 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 				.destroy = _destroy,
 			},
 		},
-		.socket = netlink_socket_create(NETLINK_ROUTE, rt_msg_names),
+		.socket = netlink_socket_create(NETLINK_ROUTE, rt_msg_names,
+			lib->settings->get_bool(lib->settings,
+				"%s.plugins.kernel-netlink.parallel_route", FALSE, lib->ns)),
 		.rt_exclude = linked_list_create(),
 		.routes = hashtable_create((hashtable_hash_t)route_entry_hash,
 								   (hashtable_equals_t)route_entry_equals, 16),
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
index b4cece720..a9adfe091 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
  * Copyright (C) 2008 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,6 +18,7 @@
 #include <sys/socket.h>
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
+#include <linux/xfrm.h>
 #include <errno.h>
 #include <unistd.h>
 
@@ -23,6 +26,9 @@
 
 #include <utils/debug.h>
 #include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <collections/array.h>
+#include <collections/hashtable.h>
 
 typedef struct private_netlink_socket_t private_netlink_socket_t;
 
@@ -30,20 +36,26 @@ typedef struct private_netlink_socket_t private_netlink_socket_t;
  * Private variables and functions of netlink_socket_t class.
  */
 struct private_netlink_socket_t {
+
 	/**
 	 * public part of the netlink_socket_t object.
 	 */
 	netlink_socket_t public;
 
 	/**
-	 * mutex to lock access to netlink socket
+	 * mutex to lock access entries
 	 */
 	mutex_t *mutex;
 
 	/**
-	 * current sequence number for netlink request
+	 * Netlink request entries currently active, uintptr_t seq => entry_t
+	 */
+	hashtable_t *entries;
+
+	/**
+	 * Current sequence number for Netlink requests
 	 */
-	int seq;
+	refcount_t seq;
 
 	/**
 	 * netlink socket
@@ -51,119 +63,420 @@ struct private_netlink_socket_t {
 	int socket;
 
 	/**
+	 * Netlink protocol
+	 */
+	int protocol;
+
+	/**
 	 * Enum names for Netlink messages
 	 */
 	enum_name_t *names;
+
+	/**
+	 * Timeout for Netlink replies, in ms
+	 */
+	u_int timeout;
+
+	/**
+	 * Number of times to repeat timed out queries
+	 */
+	u_int retries;
+
+	/**
+	 * Use parallel netlink queries
+	 */
+	bool parallel;
+
+	/**
+	 * Ignore errors potentially resulting from a retransmission
+	 */
+	bool ignore_retransmit_errors;
 };
 
 /**
- * Imported from kernel_netlink_ipsec.c
+ * #definable hook to simulate request message loss
  */
-extern enum_name_t *xfrm_msg_names;
-
-METHOD(netlink_socket_t, netlink_send, status_t,
-	private_netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out,
-	size_t *out_len)
-{
-	union {
-		struct nlmsghdr hdr;
-		u_char bytes[4096];
-	} response;
-	struct sockaddr_nl addr;
-	chunk_t result = chunk_empty;
-	int len;
+#ifdef NETLINK_MSG_LOSS_HOOK
+bool NETLINK_MSG_LOSS_HOOK(struct nlmsghdr *msg);
+#define msg_loss_hook(msg) NETLINK_MSG_LOSS_HOOK(msg)
+#else
+#define msg_loss_hook(msg) FALSE
+#endif
 
-	this->mutex->lock(this->mutex);
+/**
+ * Request entry the answer for a waiting thread is collected in
+ */
+typedef struct {
+	/** Condition variable thread is waiting */
+	condvar_t *condvar;
+	/** Array of hdrs in a multi-message response, as struct nlmsghdr* */
+	array_t *hdrs;
+	/** All response messages received? */
+	bool complete;
+} entry_t;
 
-	in->nlmsg_seq = ++this->seq;
-	in->nlmsg_pid = getpid();
+/**
+ * Clean up a thread waiting entry
+ */
+static void destroy_entry(entry_t *entry)
+{
+	entry->condvar->destroy(entry->condvar);
+	array_destroy_function(entry->hdrs, (void*)free, NULL);
+	free(entry);
+}
 
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-	addr.nl_pid = 0;
-	addr.nl_groups = 0;
+/**
+ * Write a Netlink message to socket
+ */
+static bool write_msg(private_netlink_socket_t *this, struct nlmsghdr *msg)
+{
+	struct sockaddr_nl addr = {
+		.nl_family = AF_NETLINK,
+	};
+	int len;
 
-	if (this->names)
+	if (msg_loss_hook(msg))
 	{
-		DBG3(DBG_KNL, "sending %N: %b",
-			 this->names, in->nlmsg_type, in, in->nlmsg_len);
+		return TRUE;
 	}
+
 	while (TRUE)
 	{
-		len = sendto(this->socket, in, in->nlmsg_len, 0,
+		len = sendto(this->socket, msg, msg->nlmsg_len, 0,
 					 (struct sockaddr*)&addr, sizeof(addr));
-
-		if (len != in->nlmsg_len)
+		if (len != msg->nlmsg_len)
 		{
 			if (errno == EINTR)
 			{
-				/* interrupted, try again */
 				continue;
 			}
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
-			return FAILED;
+			DBG1(DBG_KNL, "netlink write error: %s", strerror(errno));
+			return FALSE;
 		}
-		break;
+		return TRUE;
 	}
+}
 
-	while (TRUE)
+/**
+ * Read a single Netlink message from socket, return 0 on error, -1 on timeout
+ */
+static ssize_t read_msg(private_netlink_socket_t *this,
+						char buf[4096], size_t buflen, bool block)
+{
+	ssize_t len;
+
+	if (block)
 	{
-		len = recv(this->socket, &response, sizeof(response), 0);
-		if (len < 0)
+		fd_set set;
+		timeval_t tv = {};
+
+		FD_ZERO(&set);
+		FD_SET(this->socket, &set);
+		timeval_add_ms(&tv, this->timeout);
+
+		if (select(this->socket + 1, &set, NULL, NULL,
+				   this->timeout ? &tv : NULL) <= 0)
 		{
-			if (errno == EINTR)
+			return -1;
+		}
+	}
+	len = recv(this->socket, buf, buflen, block ? 0 : MSG_DONTWAIT);
+	if (len == buflen)
+	{
+		DBG1(DBG_KNL, "netlink response exceeds buffer size");
+		return 0;
+	}
+	if (len < 0)
+	{
+		if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINTR)
+		{
+			DBG1(DBG_KNL, "netlink read error: %s", strerror(errno));
+		}
+		return 0;
+	}
+	return len;
+}
+
+/**
+ * Queue received response message
+ */
+static bool queue(private_netlink_socket_t *this, struct nlmsghdr *buf)
+{
+	struct nlmsghdr *hdr;
+	entry_t *entry;
+	uintptr_t seq;
+
+	seq = (uintptr_t)buf->nlmsg_seq;
+
+	this->mutex->lock(this->mutex);
+	entry = this->entries->get(this->entries, (void*)seq);
+	if (entry)
+	{
+		hdr = malloc(buf->nlmsg_len);
+		memcpy(hdr, buf, buf->nlmsg_len);
+		array_insert(entry->hdrs, ARRAY_TAIL, hdr);
+		if (hdr->nlmsg_type == NLMSG_DONE || !(hdr->nlmsg_flags & NLM_F_MULTI))
+		{
+			entry->complete = TRUE;
+			entry->condvar->signal(entry->condvar);
+		}
+	}
+	else
+	{
+		DBG1(DBG_KNL, "received unknown netlink seq %u, ignored", seq);
+	}
+	this->mutex->unlock(this->mutex);
+
+	return entry != NULL;
+}
+
+/**
+ * Read and queue response message, optionally blocking, returns TRUE on timeout
+ */
+static bool read_and_queue(private_netlink_socket_t *this, bool block)
+{
+	struct nlmsghdr *hdr;
+	union {
+		struct nlmsghdr hdr;
+		char bytes[4096];
+	} buf;
+	ssize_t len;
+
+	len = read_msg(this, buf.bytes, sizeof(buf.bytes), block);
+	if (len == -1)
+	{
+		return TRUE;
+	}
+	if (len)
+	{
+		hdr = &buf.hdr;
+		while (NLMSG_OK(hdr, len))
+		{
+			if (!queue(this, hdr))
 			{
-				DBG1(DBG_KNL, "got interrupted");
-				/* interrupted, try again */
-				continue;
+				break;
 			}
-			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
+			hdr = NLMSG_NEXT(hdr, len);
 		}
-		if (!NLMSG_OK(&response.hdr, len))
+	}
+	return FALSE;
+}
+
+CALLBACK(watch, bool,
+	private_netlink_socket_t *this, int fd, watcher_event_t event)
+{
+	if (event == WATCHER_READ)
+	{
+		read_and_queue(this, FALSE);
+	}
+	return TRUE;
+}
+
+/**
+ * Send a netlink request, try once
+ */
+static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
+						  uintptr_t seq, struct nlmsghdr **out, size_t *out_len)
+{
+	struct nlmsghdr *hdr;
+	chunk_t result = {};
+	entry_t *entry;
+
+	in->nlmsg_seq = seq;
+	in->nlmsg_pid = getpid();
+
+	if (this->names)
+	{
+		DBG3(DBG_KNL, "sending %N %u: %b", this->names, in->nlmsg_type,
+			 (u_int)seq, in, in->nlmsg_len);
+	}
+
+	this->mutex->lock(this->mutex);
+	if (!write_msg(this, in))
+	{
+		this->mutex->unlock(this->mutex);
+		return FAILED;
+	}
+
+	INIT(entry,
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.hdrs = array_create(0, 0),
+	);
+	this->entries->put(this->entries, (void*)seq, entry);
+
+	while (!entry->complete)
+	{
+		if (this->parallel &&
+			lib->watcher->get_state(lib->watcher) == WATCHER_RUNNING)
 		{
-			DBG1(DBG_KNL, "received corrupted netlink message");
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
+			if (this->timeout)
+			{
+				if (entry->condvar->timed_wait(entry->condvar, this->mutex,
+											   this->timeout))
+				{
+					break;
+				}
+			}
+			else
+			{
+				entry->condvar->wait(entry->condvar, this->mutex);
+			}
 		}
-		if (response.hdr.nlmsg_seq != this->seq)
-		{
-			DBG1(DBG_KNL, "received invalid netlink sequence number");
-			if (response.hdr.nlmsg_seq < this->seq)
+		else
+		{	/* During (de-)initialization, no watcher thread is active.
+			 * collect responses ourselves. */
+			if (read_and_queue(this, TRUE))
 			{
-				continue;
+				break;
 			}
-			this->mutex->unlock(this->mutex);
-			free(result.ptr);
-			return FAILED;
 		}
+	}
+	this->entries->remove(this->entries, (void*)seq);
 
-		result = chunk_cat("mc", result, chunk_create(response.bytes, len));
+	this->mutex->unlock(this->mutex);
 
-		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
-		 * numbers to detect multi header messages */
-		len = recv(this->socket, &response.hdr, sizeof(response.hdr),
-				   MSG_PEEK | MSG_DONTWAIT);
-		if (len == sizeof(response.hdr) && response.hdr.nlmsg_seq == this->seq)
+	if (!entry->complete)
+	{	/* timeout */
+		destroy_entry(entry);
+		return OUT_OF_RES;
+	}
+
+	while (array_remove(entry->hdrs, ARRAY_HEAD, &hdr))
+	{
+		if (this->names)
 		{
-			/* seems to be multipart */
-			continue;
+			DBG3(DBG_KNL, "received %N %u: %b", this->names, hdr->nlmsg_type,
+				 hdr->nlmsg_seq, hdr, hdr->nlmsg_len);
 		}
-		break;
+		result = chunk_cat("mm", result,
+						   chunk_create((char*)hdr, hdr->nlmsg_len));
 	}
+	destroy_entry(entry);
 
 	*out_len = result.len;
 	*out = (struct nlmsghdr*)result.ptr;
 
-	this->mutex->unlock(this->mutex);
-
 	return SUCCESS;
 }
 
+/**
+ * Ignore errors for message types that might have completed previously
+ */
+static void ignore_retransmit_error(private_netlink_socket_t *this,
+									struct nlmsgerr *err, int type)
+{
+	switch (err->error)
+	{
+		case -EEXIST:
+			switch (this->protocol)
+			{
+				case NETLINK_XFRM:
+					switch (type)
+					{
+						case XFRM_MSG_NEWPOLICY:
+						case XFRM_MSG_NEWSA:
+							err->error = 0;
+							break;
+					}
+					break;
+				case NETLINK_ROUTE:
+					switch (type)
+					{
+						case RTM_NEWADDR:
+						case RTM_NEWLINK:
+						case RTM_NEWNEIGH:
+						case RTM_NEWROUTE:
+						case RTM_NEWRULE:
+							err->error = 0;
+							break;
+					}
+					break;
+			}
+			break;
+		case -ENOENT:
+			switch (this->protocol)
+			{
+				case NETLINK_XFRM:
+					switch (type)
+					{
+						case XFRM_MSG_DELPOLICY:
+						case XFRM_MSG_DELSA:
+							err->error = 0;
+							break;
+					}
+					break;
+				case NETLINK_ROUTE:
+					switch (type)
+					{
+						case RTM_DELADDR:
+						case RTM_DELLINK:
+						case RTM_DELNEIGH:
+						case RTM_DELROUTE:
+						case RTM_DELRULE:
+							err->error = 0;
+							break;
+					}
+					break;
+			}
+			break;
+	}
+}
+
+METHOD(netlink_socket_t, netlink_send, status_t,
+	private_netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out,
+	size_t *out_len)
+{
+	uintptr_t seq;
+	u_int try;
+
+	seq = ref_get(&this->seq);
+
+	for (try = 0; try <= this->retries; ++try)
+	{
+		struct nlmsghdr *hdr;
+		status_t status;
+		size_t len;
+
+		if (try > 0)
+		{
+			DBG1(DBG_KNL, "retransmitting Netlink request (%u/%u)",
+				 try, this->retries);
+		}
+		status = send_once(this, in, seq, &hdr, &len);
+		switch (status)
+		{
+			case SUCCESS:
+				break;
+			case OUT_OF_RES:
+				continue;
+			default:
+				return status;
+		}
+		if (hdr->nlmsg_type == NLMSG_ERROR)
+		{
+			struct nlmsgerr* err;
+
+			err = NLMSG_DATA(hdr);
+			if (err->error == -EBUSY)
+			{
+				free(hdr);
+				try--;
+				continue;
+			}
+			if (this->ignore_retransmit_errors && try > 0)
+			{
+				ignore_retransmit_error(this, err, in->nlmsg_type);
+			}
+		}
+		*out = hdr;
+		*out_len = len;
+		return SUCCESS;
+	}
+	DBG1(DBG_KNL, "Netlink request timed out after %u retransmits",
+		 this->retries);
+	return OUT_OF_RES;
+}
+
 METHOD(netlink_socket_t, netlink_send_ack, status_t,
 	private_netlink_socket_t *this, struct nlmsghdr *in)
 {
@@ -221,8 +534,13 @@ METHOD(netlink_socket_t, destroy, void,
 {
 	if (this->socket != -1)
 	{
+		if (this->parallel)
+		{
+			lib->watcher->remove(lib->watcher, this->socket);
+		}
 		close(this->socket);
 	}
+	this->entries->destroy(this->entries);
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
@@ -230,7 +548,8 @@ METHOD(netlink_socket_t, destroy, void,
 /**
  * Described in header.
  */
-netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names)
+netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
+										bool parallel)
 {
 	private_netlink_socket_t *this;
 	struct sockaddr_nl addr = {
@@ -244,9 +563,19 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names)
 			.destroy = _destroy,
 		},
 		.seq = 200,
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
 		.socket = socket(AF_NETLINK, SOCK_RAW, protocol),
+		.entries = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 4),
+		.protocol = protocol,
 		.names = names,
+		.timeout = lib->settings->get_int(lib->settings,
+							"%s.plugins.kernel-netlink.timeout", 0, lib->ns),
+		.retries = lib->settings->get_int(lib->settings,
+							"%s.plugins.kernel-netlink.retries", 0, lib->ns),
+		.ignore_retransmit_errors = lib->settings->get_bool(lib->settings,
+							"%s.plugins.kernel-netlink.ignore_retransmit_errors",
+							FALSE, lib->ns),
+		.parallel = parallel,
 	);
 
 	if (this->socket == -1)
@@ -261,6 +590,10 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names)
 		destroy(this);
 		return NULL;
 	}
+	if (this->parallel)
+	{
+		lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, watch, this);
+	}
 
 	return &this->public;
 }
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
index 069f746d1..66682907d 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -66,8 +66,10 @@ struct netlink_socket_t {
  *
  * @param protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
  * @param names		optional enum names for Netlink messages
+ * @param parallel	support parallel queries on this Netlink socket
  */
-netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names);
+netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
+										bool parallel);
 
 /**
  * Creates an rtattr and adds it to the given netlink message.
diff --git a/src/libhydra/plugins/kernel_netlink/suites/test_socket.c b/src/libhydra/plugins/kernel_netlink/suites/test_socket.c
new file mode 100644
index 000000000..3e8facd0a
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/suites/test_socket.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_suite.h>
+
+#include <threading/thread.h>
+
+#include "../kernel_netlink_shared.h"
+
+/**
+ * Netlink message drop configuration
+ */
+static int drop_interval = 0;
+
+/**
+ * Netlink message drop hook
+ */
+bool netlink_msg_loss(struct nlmsghdr *hdr)
+{
+	static refcount_t i;
+
+	if (drop_interval)
+	{
+		return ref_get(&i) % drop_interval == drop_interval - 1;
+	}
+	return FALSE;
+}
+
+START_TEST(test_echo)
+{
+	netlink_socket_t *s;
+	struct nlmsghdr *out;
+	struct rtmsg *msg;
+	char dst[] = {
+		127,0,0,1
+	};
+	size_t len;
+	netlink_buf_t request = {
+		.hdr = {
+			.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)),
+			.nlmsg_flags = NLM_F_REQUEST,
+			.nlmsg_type = RTM_GETROUTE,
+		},
+	};
+
+	msg = NLMSG_DATA(&request.hdr);
+	msg->rtm_family = AF_INET;
+	netlink_add_attribute(&request.hdr, RTA_DST,
+						  chunk_from_thing(dst), sizeof(request));
+
+	s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+
+	ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+	ck_assert_int_eq(out->nlmsg_type, RTM_NEWROUTE);
+	free(out);
+	s->destroy(s);
+}
+END_TEST
+
+START_TEST(test_echo_dump)
+{
+	netlink_socket_t *s;
+	struct nlmsghdr *out, *current;
+	struct rtgenmsg *msg;
+	size_t len;
+	netlink_buf_t request = {
+		.hdr = {
+			.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)),
+			.nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT,
+			.nlmsg_type = RTM_GETLINK,
+		},
+	};
+
+	s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+	msg = NLMSG_DATA(&request.hdr);
+	msg->rtgen_family = AF_UNSPEC;
+
+	ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+	current = out;
+	while (TRUE)
+	{
+		ck_assert(NLMSG_OK(current, len));
+		if (current->nlmsg_type == NLMSG_DONE)
+		{
+			break;
+		}
+		ck_assert_int_eq(current->nlmsg_type, RTM_NEWLINK);
+		current = NLMSG_NEXT(current, len);
+	}
+	free(out);
+	s->destroy(s);
+}
+END_TEST
+
+CALLBACK(stress, void*,
+	netlink_socket_t *s)
+{
+	struct nlmsghdr *out;
+	struct rtmsg *msg;
+	char dst[] = {
+		127,0,0,1
+	};
+	size_t len;
+	int i;
+	netlink_buf_t request = {
+		.hdr = {
+			.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)),
+			.nlmsg_flags = NLM_F_REQUEST,
+			.nlmsg_type = RTM_GETROUTE,
+		},
+	};
+
+	for (i = 0; i < 10; i++)
+	{
+		msg = NLMSG_DATA(&request.hdr);
+		msg->rtm_family = AF_INET;
+		netlink_add_attribute(&request.hdr, RTA_DST,
+							  chunk_from_thing(dst), sizeof(request));
+
+		ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+		ck_assert_int_eq(out->nlmsg_type, RTM_NEWROUTE);
+		free(out);
+	}
+	return NULL;
+}
+
+CALLBACK(stress_dump, void*,
+	netlink_socket_t *s)
+{
+	struct nlmsghdr *out, *current;
+	struct rtgenmsg *msg;
+	size_t len;
+	int i;
+	netlink_buf_t request = {
+		.hdr = {
+			.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)),
+			.nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT,
+			.nlmsg_type = RTM_GETLINK,
+		},
+	};
+
+	msg = NLMSG_DATA(&request.hdr);
+	msg->rtgen_family = AF_UNSPEC;
+
+	for (i = 0; i < 10; i++)
+	{
+		ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+		current = out;
+		while (TRUE)
+		{
+			ck_assert(NLMSG_OK(current, len));
+			if (current->nlmsg_type == NLMSG_DONE)
+			{
+				break;
+			}
+			ck_assert_int_eq(current->nlmsg_type, RTM_NEWLINK);
+			current = NLMSG_NEXT(current, len);
+		}
+		free(out);
+	}
+	return NULL;
+}
+
+START_TEST(test_stress)
+{
+	thread_t *threads[10];
+	netlink_socket_t *s;
+	int i;
+
+	s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+	for (i = 0; i < countof(threads); i++)
+	{
+		threads[i] = thread_create(stress, s);
+	}
+	for (i = 0; i < countof(threads); i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+	s->destroy(s);
+}
+END_TEST
+
+START_TEST(test_stress_dump)
+{
+	thread_t *threads[10];
+	netlink_socket_t *s;
+	int i;
+
+	s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+	for (i = 0; i < countof(threads); i++)
+	{
+		threads[i] = thread_create(stress_dump, s);
+	}
+	for (i = 0; i < countof(threads); i++)
+	{
+		threads[i]->join(threads[i]);
+	}
+	s->destroy(s);
+}
+END_TEST
+
+START_TEST(test_retransmit_success)
+{
+	netlink_socket_t *s;
+	struct nlmsghdr *out;
+	struct rtgenmsg *msg;
+	size_t len;
+	netlink_buf_t request = {
+		.hdr = {
+			.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)),
+			.nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT,
+			.nlmsg_type = RTM_GETLINK,
+		},
+	};
+
+	drop_interval = 2;
+
+	lib->settings->set_int(lib->settings,
+							"%s.plugins.kernel-netlink.timeout", 100, lib->ns);
+	lib->settings->set_int(lib->settings,
+							"%s.plugins.kernel-netlink.retries", 1, lib->ns);
+
+	s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+	msg = NLMSG_DATA(&request.hdr);
+	msg->rtgen_family = AF_UNSPEC;
+
+	ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+	free(out);
+	s->destroy(s);
+
+	drop_interval = 0;
+}
+END_TEST
+
+START_TEST(test_retransmit_fail)
+{
+	netlink_socket_t *s;
+	struct nlmsghdr *out;
+	struct rtgenmsg *msg;
+	size_t len;
+	netlink_buf_t request = {
+		.hdr = {
+			.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)),
+			.nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT,
+			.nlmsg_type = RTM_GETLINK,
+		},
+	};
+
+	drop_interval = 1;
+
+	lib->settings->set_int(lib->settings,
+							"%s.plugins.kernel-netlink.timeout", 50, lib->ns);
+	lib->settings->set_int(lib->settings,
+							"%s.plugins.kernel-netlink.retries", 3, lib->ns);
+
+	s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+	msg = NLMSG_DATA(&request.hdr);
+	msg->rtgen_family = AF_UNSPEC;
+
+	ck_assert(s->send(s, &request.hdr, &out, &len) == OUT_OF_RES);
+	s->destroy(s);
+
+	drop_interval = 0;
+}
+END_TEST
+
+Suite *socket_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("netlink socket");
+
+	tc = tcase_create("echo");
+	tcase_add_loop_test(tc, test_echo, 0, 2);
+	tcase_add_loop_test(tc, test_echo_dump, 0, 2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("stress");
+	tcase_add_loop_test(tc, test_stress, 0, 2);
+	tcase_add_loop_test(tc, test_stress_dump, 0, 2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("retransmit");
+	tcase_add_loop_test(tc, test_retransmit_success, 0, 2);
+	tcase_add_loop_test(tc, test_retransmit_fail, 0, 2);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libhydra/plugins/kernel_netlink/tests.c b/src/libhydra/plugins/kernel_netlink/tests.c
new file mode 100644
index 000000000..136b34d29
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/tests.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+#include <hydra.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#include "tests.h"
+#undef TEST_SUITE
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#include "tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (init)
+	{
+		dbg_default_set_level(0);
+		lib->processor->set_threads(lib->processor, 8);
+		dbg_default_set_level(1);
+	}
+	else
+	{
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("kernel-netlink", tests, test_runner_init);
+}
diff --git a/src/libhydra/plugins/kernel_netlink/tests.h b/src/libhydra/plugins/kernel_netlink/tests.h
new file mode 100644
index 000000000..2b6715a78
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/tests.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(socket_suite_create)
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 821ad7710..177d2f23f 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 00ab5ab5a..3b32ba553 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1296,7 +1296,8 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this,
 {
 	pfkey_msg_t response;
 	u_int8_t protocol;
-	u_int32_t spi, reqid;
+	u_int32_t spi;
+	host_t *dst;
 	bool hard;
 
 	DBG2(DBG_KNL, "received an SADB_EXPIRE");
@@ -1309,18 +1310,18 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this,
 
 	protocol = satype2proto(msg->sadb_msg_satype);
 	spi = response.sa->sadb_sa_spi;
-	reqid = response.x_sa2->sadb_x_sa2_reqid;
 	hard = response.lft_hard != NULL;
 
-	if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
+	if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
 	{
-		DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and "
-					  "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
-		return;
+		dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
+		if (dst)
+		{
+			hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+											spi, dst, hard);
+			dst->destroy(dst);
+		}
 	}
-
-	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
-									spi, hard);
 }
 
 #ifdef SADB_X_MIGRATE
@@ -1387,9 +1388,9 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 							struct sadb_msg* msg)
 {
 	pfkey_msg_t response;
-	u_int32_t spi, reqid;
+	u_int32_t spi;
 	sockaddr_t *sa;
-	host_t *host;
+	host_t *dst, *new;
 
 	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
 
@@ -1407,7 +1408,6 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 	}
 
 	spi = response.sa->sadb_sa_spi;
-	reqid = response.x_sa2->sadb_x_sa2_reqid;
 
 	if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
 	{
@@ -1415,6 +1415,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 	}
 
 	sa = (sockaddr_t*)(response.dst + 1);
+	dst = host_create_from_sockaddr(sa);
 	switch (sa->sa_family)
 	{
 		case AF_INET:
@@ -1432,12 +1433,16 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 		default:
 			break;
 	}
-
-	host = host_create_from_sockaddr(sa);
-	if (host)
+	if (dst)
 	{
-		hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
-										 spi, host);
+		new = host_create_from_sockaddr(sa);
+		if (new)
+		{
+			hydra->kernel_interface->mapping(hydra->kernel_interface,
+											 IPPROTO_ESP, spi, dst, new);
+			new->destroy(new);
+		}
+		dst->destroy(dst);
 	}
 }
 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
@@ -1518,11 +1523,10 @@ static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd,
 
 static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
 	host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
-	u_int32_t reqid, u_int32_t *spi)
+	u_int32_t *spi)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
-	struct sadb_x_sa2 *sa2;
 	struct sadb_spirange *range;
 	pfkey_msg_t response;
 	u_int32_t received_spi = 0;
@@ -1536,12 +1540,6 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
 	msg->sadb_msg_satype = proto2satype(proto);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
-	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
-	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
-	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
-	sa2->sadb_x_sa2_reqid = reqid;
-	PFKEY_EXT_ADD(msg, sa2);
-
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
@@ -1577,39 +1575,37 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t *spi)
 {
-	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
 	if (get_spi_internal(this, src, dst, protocol,
-						 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+						 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
+		DBG1(DBG_KNL, "unable to get SPI");
 		return FAILED;
 	}
 
-	DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+	DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
 	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t reqid, u_int16_t *cpi)
+	u_int16_t *cpi)
 {
 	u_int32_t received_spi = 0;
 
-	DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
+	DBG2(DBG_KNL, "getting CPI");
 
 	if (get_spi_internal(this, src, dst, IPPROTO_COMP,
-						 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+						 0x100, 0xEFFF, &received_spi) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
+		DBG1(DBG_KNL, "unable to get CPI");
 		return FAILED;
 	}
 
 	*cpi = htons((u_int16_t)ntohl(received_spi));
 
-	DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
+	DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
 	return SUCCESS;
 }
 
@@ -1619,8 +1615,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	bool initiator, bool encap, bool esn, bool inbound, bool update,
+	linked_list_t *src_ts, linked_list_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1638,12 +1634,29 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
 			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
 			   chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound,
-			   NULL, NULL);
+			   update, NULL, NULL);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
 	}
 
+	if (update)
+	{
+		/* As we didn't know the reqid during SPI allocation, we used reqid
+		 * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we
+		 * have to delete the SPI allocation state manually. The reqid
+		 * selector does not count for that, therefore we have to delete
+		 * that state before installing the new SA to avoid deleting the
+		 * the new state after installing it. */
+		mark_t zeromark = {0, 0};
+
+		if (this->public.interface.del_sa(&this->public.interface,
+					src, dst, spi, protocol, 0, zeromark) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "deleting SPI allocation SA failed");
+		}
+	}
+
 	memset(&request, 0, sizeof(request));
 
 	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
@@ -1651,7 +1664,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
-	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
+	msg->sadb_msg_type = SADB_ADD;
 	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
@@ -1680,7 +1693,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	}
 	else
 	{
+		/* Linux interprets sadb_sa_replay as number of packets/bits in the
+		 * replay window, whereas on BSD it's the size of the window in bytes */
+#ifdef __linux__
 		sa->sadb_sa_replay = min(replay_window, 32);
+#else
+		sa->sadb_sa_replay = (replay_window + 7) / 8;
+#endif
 		sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
 		sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
 	}
@@ -2969,6 +2988,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 {
 	private_kernel_pfkey_ipsec_t *this;
 	bool register_for_events = TRUE;
+	int rcv_buffer;
 
 	INIT(this,
 		.public = {
@@ -3025,6 +3045,18 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 			return NULL;
 		}
 
+		rcv_buffer = lib->settings->get_int(lib->settings,
+					"%s.plugins.kernel-pfkey.events_buffer_size", 0, lib->ns);
+		if (rcv_buffer > 0)
+		{
+			if (setsockopt(this->socket_events, SOL_SOCKET, SO_RCVBUF,
+						   &rcv_buffer, sizeof(rcv_buffer)) == -1)
+			{
+				DBG1(DBG_KNL, "unable to set receive buffer size on PF_KEY "
+					 "event socket: %s", strerror(errno));
+			}
+		}
+
 		/* register the event socket */
 		if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
 			register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 662f2fd7d..9f676d21d 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 26fae0d6b..0f7802270 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -830,6 +830,15 @@ static void process_link(private_kernel_pfroute_net_t *this,
 					DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
 				}
 			}
+#ifdef __APPLE__
+			/* There seems to be a race condition on 10.10, where we get
+			 * the RTM_IFINFO, but getifaddrs() does not return the virtual
+			 * IP installed on a tun device, but we also don't get a
+			 * RTM_NEWADDR. We therefore could miss the new address, letting
+			 * virtual IP installation fail. Delaying getifaddrs() helps,
+			 * but is obviously not a clean fix. */
+			usleep(50000);
+#endif
 			iface->flags = msg->ifm_flags;
 			repopulate_iface(this, iface);
 			found = TRUE;
diff --git a/src/libhydra/tests/Makefile.am b/src/libhydra/tests/Makefile.am
new file mode 100644
index 000000000..5acd5c28c
--- /dev/null
+++ b/src/libhydra/tests/Makefile.am
@@ -0,0 +1,18 @@
+TESTS = hydra_tests
+
+check_PROGRAMS = $(TESTS)
+
+hydra_tests_SOURCES = \
+  hydra_tests.h hydra_tests.c
+
+hydra_tests_CFLAGS = \
+  -I$(top_srcdir)/src/libhydra \
+  -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
+  @COVERAGE_CFLAGS@
+
+hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+hydra_tests_LDADD = \
+  $(top_builddir)/src/libhydra/libhydra.la \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libhydra/tests/Makefile.in b/src/libhydra/tests/Makefile.in
new file mode 100644
index 000000000..1fa889d67
--- /dev/null
+++ b/src/libhydra/tests/Makefile.in
@@ -0,0 +1,839 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = hydra_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libhydra/tests
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = hydra_tests$(EXEEXT)
+am_hydra_tests_OBJECTS = hydra_tests-hydra_tests.$(OBJEXT)
+hydra_tests_OBJECTS = $(am_hydra_tests_OBJECTS)
+hydra_tests_DEPENDENCIES = $(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+hydra_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(hydra_tests_CFLAGS) \
+	$(CFLAGS) $(hydra_tests_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(hydra_tests_SOURCES)
+DIST_SOURCES = $(hydra_tests_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+hydra_tests_SOURCES = \
+  hydra_tests.h hydra_tests.c
+
+hydra_tests_CFLAGS = \
+  -I$(top_srcdir)/src/libhydra \
+  -I$(top_srcdir)/src/libstrongswan \
+  -I$(top_srcdir)/src/libstrongswan/tests \
+  @COVERAGE_CFLAGS@
+
+hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+hydra_tests_LDADD = \
+  $(top_builddir)/src/libhydra/libhydra.la \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(top_builddir)/src/libstrongswan/tests/libtest.la
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/tests/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libhydra/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+
+hydra_tests$(EXEEXT): $(hydra_tests_OBJECTS) $(hydra_tests_DEPENDENCIES) $(EXTRA_hydra_tests_DEPENDENCIES) 
+	@rm -f hydra_tests$(EXEEXT)
+	$(AM_V_CCLD)$(hydra_tests_LINK) $(hydra_tests_OBJECTS) $(hydra_tests_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra_tests-hydra_tests.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+hydra_tests-hydra_tests.o: hydra_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.o -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c
+
+hydra_tests-hydra_tests.obj: hydra_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.obj -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+	clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
+	ctags ctags-am distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/tests/hydra_tests.c b/src/libhydra/tests/hydra_tests.c
new file mode 100644
index 000000000..90abd8369
--- /dev/null
+++ b/src/libhydra/tests/hydra_tests.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+#include <hydra.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "hydra_tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+	{ .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "hydra_tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (init)
+	{
+		libhydra_init();
+	}
+	else
+	{
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+		libhydra_deinit();
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("libhydra", tests, test_runner_init);
+}
diff --git a/src/libhydra/tests/hydra_tests.h b/src/libhydra/tests/hydra_tests.h
new file mode 100644
index 000000000..6b213d026
--- /dev/null
+++ b/src/libhydra/tests/hydra_tests.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index d9a5cd50d..a61382723 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -127,7 +127,8 @@ imv_policy_manager_SOURCES = \
 	imv/imv_policy_manager.c \
 	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
 imv_policy_manager_LDADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libtncif/libtncif.la
 #imv/imv_policy_manager.o :	$(top_builddir)/config.status
 
 SUBDIRS = .
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 239e62a17..03778a22c 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -237,7 +237,8 @@ am_imv_policy_manager_OBJECTS = imv/imv_policy_manager.$(OBJEXT) \
 	imv/imv_policy_manager_usage.$(OBJEXT)
 imv_policy_manager_OBJECTS = $(am_imv_policy_manager_OBJECTS)
 imv_policy_manager_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libtncif/libtncif.la
 SCRIPTS = $(ipsec_SCRIPTS)
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -395,6 +396,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -455,10 +457,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -532,6 +536,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -708,7 +714,8 @@ imv_policy_manager_SOURCES = \
 	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
 
 imv_policy_manager_LDADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libtncif/libtncif.la
 
 #imv/imv_policy_manager.o :	$(top_builddir)/config.status
 SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 425748f59..ff6191117 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -323,6 +323,71 @@ INSERT INTO products (			/* 54 */
  'Debian 7.6 armv6l'
 );
 
+INSERT INTO products (			/* 55 */
+  name
+) VALUES (
+ 'Debian 7.7 i686'
+);
+
+INSERT INTO products (			/* 56 */
+  name
+) VALUES (
+ 'Debian 7.7 x86_64'
+);
+INSERT INTO products (			/* 57 */
+  name
+) VALUES (
+ 'Debian 7.7 armv6l'
+);
+
+INSERT INTO products (			/* 58 */
+  name
+) VALUES (
+ 'Debian 7.8 i686'
+);
+
+INSERT INTO products (			/* 59 */
+  name
+) VALUES (
+ 'Debian 7.8 x86_64'
+);
+
+INSERT INTO products (			/* 60 */
+  name
+) VALUES (
+ 'Debian 7.8 armv6l'
+);
+
+INSERT INTO products (			/* 61 */
+  name
+) VALUES (
+ 'Ubuntu 14.10 i686'
+);
+
+INSERT INTO products (			/* 62 */
+  name
+) VALUES (
+ 'Ubuntu 14.10 x86_64'
+);
+
+INSERT INTO products (			/* 63 */
+  name
+) VALUES (
+ 'Android 5.0'
+);
+
+INSERT INTO products (			/* 64 */
+  name
+) VALUES (
+ 'Android 5.0.1'
+);
+
+INSERT INTO products (			/* 65 */
+  name
+) VALUES (
+ 'Debian 7.8 armv7l'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -741,6 +806,18 @@ INSERT INTO groups (			/* 14 */
   'Debian armv6l', 2
 );
 
+INSERT INTO groups (			/* 15 */
+  name, parent
+) VALUES (
+  'Debian armv7l', 2
+);
+
+INSERT INTO groups (            /* 16 */
+  name
+) VALUES (
+  'TPM TBOOT'
+);
+
 /* Default Product Groups */
 
 INSERT INTO groups_product_defaults (
@@ -800,6 +877,18 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  4, 55
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 58
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   5, 2
 );
 
@@ -854,6 +943,18 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  5, 56
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 59
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   6, 9
 );
 
@@ -902,6 +1003,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  6, 61
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   7, 8
 );
 
@@ -956,6 +1063,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  7, 62
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   3, 21
 );
 
@@ -1016,6 +1129,18 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  3, 63
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 64
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   3, 51
 );
 
@@ -1061,6 +1186,24 @@ INSERT INTO groups_product_defaults (
   14, 54
 );
 
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 57
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 60
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  15, 65
+);
+
 /* Policies */
 
 INSERT INTO policies (			/*  1 */
@@ -1189,6 +1332,12 @@ INSERT INTO policies (          /* 21 */
   16, 'TPM BIOS/IMA Measurements', 'BI', 2, 2
 );
 
+INSERT INTO policies (          /* 22 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  16, 'TPM TBOOT Measurements', 'T', 2, 2
+);
+
 /* Enforcements */
 
 INSERT INTO enforcements (		/*  1 */
@@ -1293,6 +1442,12 @@ INSERT INTO enforcements (      /* 17 */
   21, 13, 60
 );
 
+INSERT INTO enforcements (      /* 18 */
+  policy, group_id, max_age
+) VALUES (
+  22, 16, 60
+);
+
 /* swid_entities */
 
 INSERT INTO "swid_entities" (		/*  1 */
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 6b24f4b28..d0508624d 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2014 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -412,14 +412,10 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 {
 	TNC_ConnectionID conn_id;
 	char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
-	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE;
+	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
 	linked_list_t *ar_identities;
-	enumerator_t *enumerator;
-	tncif_identity_t *tnc_id;
 	imv_session_t *session;
 	uint32_t max_msg_len;
-	uint32_t ar_id_type = TNC_ID_UNKNOWN;
-	chunk_t ar_id_value = chunk_empty;
 
 	conn_id = state->get_connection_id(state);
 	if (find_connection(this, conn_id))
@@ -431,15 +427,24 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	}
 
 	/* Get and display attributes from TNCS via IF-IMV */
-	has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES);
-	has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
-	has_soh  = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH);
-	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
-	tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION);
-	t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
-	t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
-	max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
-	ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES);
+	has_long = get_bool_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_HAS_LONG_TYPES);
+	has_excl = get_bool_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
+	has_soh  = get_bool_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_HAS_SOH);
+	tnccs_p = get_str_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
+	tnccs_v = get_str_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_IFTNCCS_VERSION);
+	t_p = get_str_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_IFT_PROTOCOL);
+	t_v = get_str_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_IFT_VERSION);
+	max_msg_len = get_uint_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
+	ar_identities = get_identity_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_AR_IDENTITIES);
 
 	state->set_flags(state, has_long, has_excl);
 	state->set_max_msg_len(state, max_msg_len);
@@ -451,48 +456,9 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	DBG2(DBG_IMV, "  over %s %s with maximum PA-TNC message size of %u bytes",
 				  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
-	enumerator = ar_identities->create_enumerator(ar_identities);
-	while (enumerator->enumerate(enumerator, &tnc_id))
-	{
-		pen_type_t id_type, subject_type, auth_type;
-		uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
-		chunk_t id_value;
-
-		id_type = tnc_id->get_identity_type(tnc_id);
-		id_value = tnc_id->get_identity_value(tnc_id);
-		subject_type = tnc_id->get_subject_type(tnc_id);
-		auth_type = tnc_id->get_auth_type(tnc_id);
-
-		tcg_id_type =      (id_type.vendor_id == PEN_TCG) ?
-							id_type.type : TNC_ID_UNKNOWN;
-		tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
-							subject_type.type : TNC_SUBJECT_UNKNOWN;
-		tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
-							auth_type.type : TNC_AUTH_UNKNOWN;
-
-
-		DBG2(DBG_IMV, "  %N AR identity '%.*s' authenticated by %N",
-			 TNC_Subject_names, tcg_subject_type,
-			 id_value.len, id_value.ptr,
-			 TNC_Authentication_names, tcg_auth_type);
-
-		/* keep the first access requestor ID */
-		if (first)
-		{
-			ar_id_type = tcg_id_type;
-			ar_id_value = id_value;
-			first = FALSE;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	session = imcv_sessions->add_session(imcv_sessions, conn_id,
-										 ar_id_type, ar_id_value);
+	session = imcv_sessions->add_session(imcv_sessions, conn_id, ar_identities);
 	state->set_session(state, session);
 
-	/* clean up temporary variables */
-	ar_identities->destroy_offset(ar_identities,
-						   offsetof(tncif_identity_t, destroy));
 	free(tnccs_p);
 	free(tnccs_v);
 	free(t_p);
diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c
index 0c4bb7514..0a18cd71b 100644
--- a/src/libimcv/imv/imv_database.c
+++ b/src/libimcv/imv/imv_database.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -22,6 +22,8 @@
 
 #include "imv_database.h"
 
+#include <tncif_identity.h>
+
 #include <utils/debug.h>
 #include <threading/mutex.h>
 
@@ -60,41 +62,14 @@ METHOD(imv_database_t, get_database, database_t*,
  */
 static bool create_session(private_imv_database_t *this, imv_session_t *session)
 {
-	enumerator_t *e;
+	enumerator_t *enumerator, *e;
 	imv_os_info_t *os_info;
-	chunk_t device_id, ar_id_value;
+	chunk_t device_id;
+	tncif_identity_t *tnc_id;
 	TNC_ConnectionID conn_id;
-	uint32_t ar_id_type;
 	char *product, *device;
-	int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created;
-
-	ar_id_value = session->get_ar_id(session, &ar_id_type);
-	if (ar_id_value.len)
-	{
-		/* get primary key of AR identity if it exists */
-		e = this->db->query(this->db,
-				"SELECT id FROM identities WHERE type = ? AND value = ?",
-				DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT);
-		if (e)
-		{
-			e->enumerate(e, &ar_id);
-			e->destroy(e);
-		}
-
-		/* if AR identity has not been found - register it */
-		if (!ar_id)
-		{
-			this->db->execute(this->db, &ar_id,
-				"INSERT INTO identities (type, value) VALUES (?, ?)",
-				 DB_INT, ar_id_type, DB_BLOB, ar_id_value);
-		}
-
-		if (!ar_id)
-		{
-			DBG1(DBG_IMV, "imv_db: registering access requestor failed");
-			return FALSE;
-		}
-	}
+	int session_id = 0, pid = 0, did = 0, trusted = 0, created;
+	bool first = TRUE, success = TRUE;
 
 	/* get product info string */
 	os_info = session->get_os_info(session);
@@ -170,10 +145,9 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session)
 	created = session->get_creation_time(session);
 	conn_id = session->get_connection_id(session);
 	this->db->execute(this->db, &session_id,
-			"INSERT INTO sessions (time, connection, identity, product, device) "
-			"VALUES (?, ?, ?, ?, ?)",
-			DB_INT, created, DB_INT, conn_id, DB_INT, ar_id,
-			DB_INT, pid, DB_INT, did);
+			"INSERT INTO sessions (time, connection, product, device) "
+			"VALUES (?, ?, ?, ?)",
+			DB_INT, created, DB_INT, conn_id, DB_INT, pid, DB_INT, did);
 
 	if (session_id)
 	{
@@ -187,7 +161,68 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session)
 	}
 	session->set_session_id(session, session_id, pid, did);
 
-	return TRUE;
+	enumerator = session->create_ar_identities_enumerator(session);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		pen_type_t ar_id_type;
+		chunk_t ar_id_value;
+		int ar_id = 0, si_id = 0;
+
+		ar_id_type = tnc_id->get_identity_type(tnc_id);
+		ar_id_value = tnc_id->get_identity_value(tnc_id);
+
+		if (ar_id_type.vendor_id != PEN_TCG || ar_id_value.len == 0)
+		{
+			continue;
+		}
+
+		/* get primary key of AR identity if it exists */
+		e = this->db->query(this->db,
+				"SELECT id FROM identities WHERE type = ? AND value = ?",
+				DB_INT, ar_id_type.type, DB_BLOB, ar_id_value, DB_INT);
+		if (e)
+		{
+			e->enumerate(e, &ar_id);
+			e->destroy(e);
+		}
+
+		/* if AR identity has not been found - register it */
+		if (!ar_id)
+		{
+			this->db->execute(this->db, &ar_id,
+				"INSERT INTO identities (type, value) VALUES (?, ?)",
+				 DB_INT, ar_id_type.type, DB_BLOB, ar_id_value);
+		}
+		if (!ar_id)
+		{
+			DBG1(DBG_IMV, "imv_db: registering access requestor failed");
+			success = FALSE;
+			break;
+		}
+
+		this->db->execute(this->db, &si_id,
+				"INSERT INTO sessions_identities (session_id, identity_id) "
+				"VALUES (?, ?)",
+				 DB_INT, session_id, DB_INT, ar_id);
+
+		if (!si_id)
+		{
+			DBG1(DBG_IMV, "imv_db: assigning identity to session failed");
+			success = FALSE;
+			break;
+		}
+
+		if (first)
+		{
+			this->db->execute(this->db, NULL,
+				"UPDATE sessions SET identity = ? WHERE id = ?",
+				 DB_INT, ar_id, DB_INT, session_id);
+			first = FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return success;
 }
 
 static bool add_workitems(private_imv_database_t *this, imv_session_t *session)
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index 50f7f2e39..9f7e4e8f4 100644
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,6 +19,8 @@
 #include <library.h>
 #include <utils/debug.h>
 
+#include <tncif_names.h>
+
 #include <stdlib.h>
 #include <stdio.h>
 #include <time.h>
@@ -251,9 +253,12 @@ static bool policy_start(database_t *db, int session_id)
 static bool policy_stop(database_t *db, int session_id)
 {
 	enumerator_t *e;
-	int rec, policy;
-	char *result;
+	int rec, policy, final_rec, id_type;
+	chunk_t id_value;
+	char *result, *ip_address = NULL;
+	bool success = TRUE;
 
+	/* store all workitem results for this session in the results table */
 	e = db->query(db,
 			"SELECT w.rec_final, w.result, e.policy FROM workitems AS w "
 			"JOIN enforcements AS e ON w.enforcement = e.id "
@@ -270,9 +275,68 @@ static bool policy_stop(database_t *db, int session_id)
 		}
 		e->destroy(e);
 	}
-	return db->execute(db, NULL,
-				"DELETE FROM workitems WHERE session = ?",
-				DB_UINT, session_id) >= 0;
+	else
+	{
+		success = FALSE;
+	}
+
+	/* delete all workitems for this session from the database */
+	if (db->execute(db, NULL,
+					"DELETE FROM workitems WHERE session = ?",
+					DB_UINT, session_id) < 0)
+	{
+		success = FALSE;
+	}
+
+	final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+
+	/* retrieve the final recommendation for this session */
+	e = db->query(db,
+			"SELECT rec FROM sessions WHERE id = ?",
+			 DB_INT, session_id, DB_INT);
+	if (e)
+	{
+		if (!e->enumerate(e, &final_rec))
+		{
+			success = FALSE;
+		}
+		e->destroy(e);
+	}
+	else
+	{
+		success = FALSE;
+	}
+
+	/* retrieve client IP address for this session */
+	e = db->query(db,
+			"SELECT i.type, i.value FROM identities AS i "
+			"JOIN sessions_identities AS si ON si.identity_id = i.id "
+			"WHERE si.session_id = ? AND (i.type = ? OR i.type = ?)",
+			 DB_INT, session_id, DB_INT, TNC_ID_IPV4_ADDR, DB_INT,
+			 TNC_ID_IPV6_ADDR, DB_INT, DB_BLOB);
+	if (e)
+	{
+		if (e->enumerate(e, &id_type, &id_value))
+		{
+			ip_address = strndup(id_value.ptr, id_value.len);
+		}
+		else
+		{
+			success = FALSE;
+		}
+		e->destroy(e);
+	}
+	else
+	{
+		success = FALSE;
+	}
+
+	fprintf(stderr, "recommendation for access requestor %s is %N\n",
+			ip_address ? ip_address : "0.0.0.0",
+			TNC_IMV_Action_Recommendation_names, final_rec);
+	free(ip_address);
+
+	return success;
 }
 
 int main(int argc, char *argv[])
diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c
index 1f0d8cf14..bc6b5a8d1 100644
--- a/src/libimcv/imv/imv_session.c
+++ b/src/libimcv/imv/imv_session.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,8 @@
 
 #include "imv_session.h"
 
+#include <tncif_identity.h>
+
 #include <utils/debug.h>
 
 typedef struct private_imv_session_t private_imv_session_t;
@@ -55,14 +57,9 @@ struct private_imv_session_t {
 	time_t created;
 
 	/**
-	 * Access Requestor ID type
-	 */
-	uint32_t ar_id_type;
-
-	/**
-	 * Access Requestor ID value
+	 * List of Access Requestor identities
 	 */
-	chunk_t ar_id_value;
+	linked_list_t *ar_identities;
 
 	/**
 	 * OS information
@@ -130,14 +127,10 @@ METHOD(imv_session_t, get_creation_time, time_t,
 	return this->created;
 }
 
-METHOD(imv_session_t, get_ar_id, chunk_t,
-	private_imv_session_t *this, uint32_t *ar_id_type)
+METHOD(imv_session_t, create_ar_identities_enumerator, enumerator_t*,
+	private_imv_session_t *this)
 {
-	if (ar_id_type)
-	{
-		*ar_id_type = this->ar_id_type;
-	}
-	return this->ar_id_value;
+	return this->ar_identities->create_enumerator(this->ar_identities);
 }
 
 METHOD(imv_session_t, get_os_info, imv_os_info_t*,
@@ -256,7 +249,8 @@ METHOD(imv_session_t, destroy, void,
 		this->workitems->destroy_offset(this->workitems,
 								 offsetof(imv_workitem_t, destroy));
 		this->os_info->destroy(this->os_info);
-		free(this->ar_id_value.ptr);
+		this->ar_identities->destroy_offset(this->ar_identities,
+									 offsetof(tncif_identity_t, destroy));
 		free(this->device_id.ptr);
 		free(this);
 	}
@@ -266,7 +260,7 @@ METHOD(imv_session_t, destroy, void,
  * See header
  */
 imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
-								  uint32_t ar_id_type, chunk_t ar_id_value)
+								  linked_list_t *ar_identities)
 {
 	private_imv_session_t *this;
 
@@ -276,7 +270,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
 			.get_session_id = _get_session_id,
 			.get_connection_id = _get_connection_id,
 			.get_creation_time = _get_creation_time,
-			.get_ar_id = _get_ar_id,
+			.create_ar_identities_enumerator = _create_ar_identities_enumerator,
 			.get_os_info = _get_os_info,
 			.set_device_id = _set_device_id,
 			.get_device_id = _get_device_id,
@@ -293,8 +287,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
 		},
 		.conn_id = conn_id,
 		.created = created,
-		.ar_id_type = ar_id_type,
-		.ar_id_value = chunk_clone(ar_id_value),
+		.ar_identities = ar_identities,
 		.os_info = imv_os_info_create(),
 		.workitems = linked_list_create(),
 		.ref = 1,
diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h
index 42b9118a6..107716f30 100644
--- a/src/libimcv/imv/imv_session.h
+++ b/src/libimcv/imv/imv_session.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -70,12 +70,11 @@ struct imv_session_t {
 	time_t (*get_creation_time)(imv_session_t *this);
 
 	/**
-	 * Get Access Requestor ID
+	 * Get list of Access Requestor identities
 	 *
-	 * @param id_type		Access Requestor TCG Standard ID Type
-	 * @return				Access Requestor TCG Standard ID Value
+	 * @return				List of Access Requestor identities
 	 */
-	chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type);
+	enumerator_t* (*create_ar_identities_enumerator)(imv_session_t *this);
 
 	/**
 	 * Get OS Information
@@ -172,10 +171,9 @@ struct imv_session_t {
  *
  * @param id				Associated Connection ID
  * @param created			Session creation time
- * @param ar_id_type		Access Requestor ID type
- * @param ar_id_value		Access Requestor ID value
+ * @param ar_identities		List of Access Requestor identities
  */
 imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created,
-								  uint32_t ar_id_type, chunk_t ar_id_value);
+								  linked_list_t *ar_identities);
 
 #endif /**  IMV_SESSION_H_ @}*/
diff --git a/src/libimcv/imv/imv_session_manager.c b/src/libimcv/imv/imv_session_manager.c
index 0fb8de45e..c97602998 100644
--- a/src/libimcv/imv/imv_session_manager.c
+++ b/src/libimcv/imv/imv_session_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,9 @@
 
 #include "imv_session_manager.h"
 
+#include <tncif_names.h>
+#include <tncif_identity.h>
+
 #include <threading/mutex.h>
 
 typedef struct private_imv_session_manager_t private_imv_session_manager_t;
@@ -43,9 +46,10 @@ struct private_imv_session_manager_t {
 
 METHOD(imv_session_manager_t, add_session, imv_session_t*,
 	private_imv_session_manager_t *this, TNC_ConnectionID conn_id,
-	uint32_t ar_id_type, chunk_t ar_id_value)
+	linked_list_t *ar_identities)
 {
 	enumerator_t *enumerator;
+	tncif_identity_t *tnc_id;
 	imv_session_t *current, *session = NULL;
 	time_t created;
 
@@ -66,13 +70,43 @@ METHOD(imv_session_manager_t, add_session, imv_session_t*,
 	/* session already exists */
 	if (session)
 	{
+		ar_identities->destroy_offset(ar_identities,
+							   offsetof(tncif_identity_t, destroy));
 		this->mutex->unlock(this->mutex);
 		return session->get_ref(session);
 	}
 
+	/* Output list of Access Requestor identities */
+	enumerator = ar_identities->create_enumerator(ar_identities);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		pen_type_t id_type, subject_type, auth_type;
+		uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
+		chunk_t id_value;
+
+		id_type = tnc_id->get_identity_type(tnc_id);
+		id_value = tnc_id->get_identity_value(tnc_id);
+		subject_type = tnc_id->get_subject_type(tnc_id);
+		auth_type = tnc_id->get_auth_type(tnc_id);
+
+		tcg_id_type = (subject_type.vendor_id == PEN_TCG) ?
+							id_type.type : TNC_SUBJECT_UNKNOWN;
+		tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
+							subject_type.type : TNC_SUBJECT_UNKNOWN;
+		tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
+							auth_type.type : TNC_AUTH_UNKNOWN;
+
+		DBG2(DBG_IMV, "  %N AR identity '%.*s' of type %N authenticated by %N",
+			 TNC_Subject_names, tcg_subject_type,
+			 id_value.len, id_value.ptr,
+			 TNC_Identity_names, tcg_id_type,
+			 TNC_Authentication_names, tcg_auth_type);
+	}
+	enumerator->destroy(enumerator);
+
 	/* create a new session entry */
 	created = time(NULL);
-	session = imv_session_create(conn_id, created, ar_id_type, ar_id_value);
+	session = imv_session_create(conn_id, created, ar_identities);
 	this->sessions->insert_last(this->sessions, session);
 
 	this->mutex->unlock(this->mutex);
diff --git a/src/libimcv/imv/imv_session_manager.h b/src/libimcv/imv/imv_session_manager.h
index 8a733accb..cfae23bc9 100644
--- a/src/libimcv/imv/imv_session_manager.h
+++ b/src/libimcv/imv/imv_session_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -39,13 +39,12 @@ struct imv_session_manager_t {
 	 * Create or get a session associated with a TNCCS connection
 	 *
 	 * @param conn_id		TNCCS Connection ID
-	 * @param ar_id_type	Access Requestor identity type
-	 * @param ar_id_value	Access Requestor identity value
+	 * @param ar_identities	List of Access Requestor identities
 	 * @return				Session associated with TNCCS Connection
 	 */
 	 imv_session_t* (*add_session)(imv_session_manager_t *this,
 								   TNC_ConnectionID conn_id,
-								   uint32_t ar_id_type, chunk_t ar_id_value);
+								   linked_list_t *ar_identities);
 
 	/**
 	 * Remove a session
diff --git a/src/libimcv/imv/tables-mysql.sql b/src/libimcv/imv/tables-mysql.sql
index 47ee41c86..cf50742c3 100644
--- a/src/libimcv/imv/tables-mysql.sql
+++ b/src/libimcv/imv/tables-mysql.sql
@@ -99,6 +99,14 @@ CREATE TABLE `sessions` (
   `rec` INTEGER DEFAULT 3
 );
 
+DROP TABLE IF EXISTS `sessions_identities`;
+CREATE TABLE `sessions_identities` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `session_id` INTEGER NOT NULL REFERENCES `sessions`(`id`),
+  `identity_id` INTEGER NOT NULL REFERENCES `identities`(`id`),
+  UNIQUE (`session_id`, `identity_id`)
+);
+
 DROP TABLE IF EXISTS `workitems`;
 CREATE TABLE `workitems` (
   `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql
index f7324896e..5c2a6563b 100644
--- a/src/libimcv/imv/tables.sql
+++ b/src/libimcv/imv/tables.sql
@@ -104,6 +104,14 @@ CREATE TABLE sessions (
   rec INTEGER DEFAULT 3
 );
 
+DROP TABLE IF EXISTS sessions_identities;
+CREATE TABLE sessions_identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session_id INTEGER NOT NULL REFERENCES sessions(id),
+  identity_id INTEGER NOT NULL REFERENCES identities(id),
+  UNIQUE (session_id, identity_id)
+);
+
 DROP TABLE IF EXISTS workitems;
 CREATE TABLE workitems (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in
index 3c5017f32..8ad56181e 100644
--- a/src/libimcv/plugins/imc_attestation/Makefile.in
+++ b/src/libimcv/plugins/imc_attestation/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
index 2fc2998e1..f24aec881 100644
--- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
@@ -137,7 +137,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 			{
 				return FALSE;
 			}
-			pts->get_my_public_value(pts, &responder_value, &responder_nonce);
+			if (!pts->get_my_public_value(pts, &responder_value,
+										  &responder_nonce))
+			{
+				return FALSE;
+			}
 
 			/* Send DH Nonce Parameters Response attribute */
 			attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group,
@@ -174,8 +178,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 				return FALSE;
 			}
 
-			pts->set_peer_public_value(pts, initiator_value, initiator_nonce);
-			if (!pts->calculate_secret(pts))
+
+			if (!pts->set_peer_public_value(pts, initiator_value,
+											initiator_nonce) ||
+				!pts->calculate_secret(pts))
 			{
 				return FALSE;
 			}
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 3f4cf41a9..3b7538688 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -224,6 +224,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index a192b0a41..7b696896f 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -225,6 +225,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in
index f1859a2cb..2847f09b4 100644
--- a/src/libimcv/plugins/imc_swid/Makefile.in
+++ b/src/libimcv/plugins/imc_swid/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 3e1d0232f..2048caa4d 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -224,6 +224,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in
index 3ba7c8c88..09a0ab0ce 100644
--- a/src/libimcv/plugins/imv_attestation/Makefile.in
+++ b/src/libimcv/plugins/imv_attestation/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_attestation/attest_db.c b/src/libimcv/plugins/imv_attestation/attest_db.c
index f85a02b3d..f1a1f923e 100644
--- a/src/libimcv/plugins/imv_attestation/attest_db.c
+++ b/src/libimcv/plugins/imv_attestation/attest_db.c
@@ -849,29 +849,31 @@ METHOD(attest_db_t, list_devices, void,
 {
 	enumerator_t *e, *e_ar;
 	chunk_t ar_id_value = chunk_empty;
-	char *product, *device;
+	char *product, *device, *description;
 	time_t timestamp;
-	int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0;
+	int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0, trusted;
 	int session_id, rec;
 	u_int32_t ar_id_type;
 	u_int tstamp;
 
 	e = this->db->query(this->db,
-			"SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name "
+			"SELECT d.id, d.value, d.trusted, d.description, "
+			"s.id, s.time, s.identity, s.rec, p.name "
 			"FROM devices AS d "
 			"JOIN sessions AS s ON d.id = s.device "
 			"JOIN products AS p ON p.id = s.product "
-			"ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT,
-			 DB_INT, DB_INT, DB_TEXT);
+			"ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_TEXT,
+			 DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT);
 
 	if (e)
 	{
-		while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec,
-							   &product))
+		while (e->enumerate(e, &id, &device, &trusted, &description,
+							   &session_id, &tstamp, &ar_id, &rec, &product))
 		{
 			if (id != last_id)
 			{
-				printf("%4d: %s - %s\n", id, device, product);
+				printf("%4d: %s %s - %s - %s\n", id, trusted ? "+" : "-",
+												 device, product, description);
 				device_count++;
 				last_id = id;
 			}
diff --git a/src/libimcv/plugins/imv_attestation/build-database.sh b/src/libimcv/plugins/imv_attestation/build-database.sh
index ca2939b49..0babb5366 100755
--- a/src/libimcv/plugins/imv_attestation/build-database.sh
+++ b/src/libimcv/plugins/imv_attestation/build-database.sh
@@ -2,7 +2,7 @@
 
 p="Ubuntu 14.04 x86_64"
 a="x86_64-linux-gnu"
-k="3.13.0-37-generic"
+k="3.13.0-46-generic"
 
 for hash in sha1 sha256
 do
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
index c39fe8d47..db93ac45f 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
@@ -69,7 +69,11 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
 
 			/* Send DH nonce finish attribute */
 			selected_algorithm = pts->get_meas_algorithm(pts);
-			pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
+			if (!pts->get_my_public_value(pts, &initiator_value,
+										  &initiator_nonce))
+			{
+				return FALSE;
+			}
 			attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
 											initiator_value, initiator_nonce);
 			attr->set_noskip_flag(attr, TRUE);
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
index 89a1f02cf..fbeb6618e 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
@@ -134,11 +134,11 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			}
 
 			responder_value = attr_cast->get_responder_value(attr_cast);
-			pts->set_peer_public_value(pts, responder_value,
-											responder_nonce);
 
 			/* Calculate secret assessment value */
-			if (!pts->calculate_secret(pts))
+			if (!pts->set_peer_public_value(pts, responder_value,
+											responder_nonce) ||
+				!pts->calculate_secret(pts))
 			{
 				return FALSE;
 			}
@@ -198,7 +198,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 
 				e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
 							KEY_ANY, aik->get_issuer(aik), FALSE);
-				while (e->enumerate(e, &issuer))
+				while (e->enumerate(e, &issuer, NULL))
 				{
 					if (aik->issued_by(aik, issuer, NULL))
 					{
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index 36e708fc9..ec3488992 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 2677b339a..08abbf596 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in
index 815722f9c..936bee86e 100644
--- a/src/libimcv/plugins/imv_swid/Makefile.in
+++ b/src/libimcv/plugins/imv_swid/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 66da75a1e..8e0e22353 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -225,6 +225,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/pts/components/ita/ita_comp_tboot.c b/src/libimcv/pts/components/ita/ita_comp_tboot.c
index 273c18f31..ce318ec84 100644
--- a/src/libimcv/pts/components/ita/ita_comp_tboot.c
+++ b/src/libimcv/pts/components/ita/ita_comp_tboot.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2014 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -61,11 +61,6 @@ struct pts_ita_comp_tboot_t {
 	int cid;
 
 	/**
-	 * Primary key for AIK database entry
-	 */
-	int kid;
-
-	/**
 	 * Component is registering measurements
 	 */
 	bool is_registering;
@@ -243,7 +238,7 @@ METHOD(pts_component_t, verify, status_t,
 	else
 	{
 		status = this->pts_db->check_comp_measurement(this->pts_db,
-								measurement, this->cid, this->kid,
+								measurement, this->cid, this->aik_id,
 								++this->seq_no, extended_pcr, algo);
 		if (status != SUCCESS)
 		{
diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c
index 2fff4c901..1ca72098e 100644
--- a/src/libimcv/pts/pts.c
+++ b/src/libimcv/pts/pts.c
@@ -224,17 +224,24 @@ METHOD(pts_t, create_dh_nonce, bool,
 	return TRUE;
 }
 
-METHOD(pts_t, get_my_public_value, void,
+METHOD(pts_t, get_my_public_value, bool,
 	private_pts_t *this, chunk_t *value, chunk_t *nonce)
 {
-	this->dh->get_my_public_value(this->dh, value);
+	if (!this->dh->get_my_public_value(this->dh, value))
+	{
+		return FALSE;
+	}
 	*nonce = this->is_imc ? this->responder_nonce : this->initiator_nonce;
+	return TRUE;
 }
 
-METHOD(pts_t, set_peer_public_value, void,
+METHOD(pts_t, set_peer_public_value, bool,
 	private_pts_t *this, chunk_t value, chunk_t nonce)
 {
-	this->dh->set_other_public_value(this->dh, value);
+	if (!this->dh->set_other_public_value(this->dh, value))
+	{
+		return FALSE;
+	}
 
 	nonce = chunk_clone(nonce);
 	if (this->is_imc)
@@ -245,6 +252,7 @@ METHOD(pts_t, set_peer_public_value, void,
 	{
 		this->responder_nonce = nonce;
 	}
+	return TRUE;
 }
 
 METHOD(pts_t, calculate_secret, bool,
@@ -264,7 +272,7 @@ METHOD(pts_t, calculate_secret, bool,
 	DBG3(DBG_PTS, "responder nonce: %B", &this->responder_nonce);
 
 	/* Calculate the DH secret */
-	if (this->dh->get_shared_secret(this->dh, &shared_secret) != SUCCESS)
+	if (!this->dh->get_shared_secret(this->dh, &shared_secret))
 	{
 		DBG1(DBG_PTS, "shared DH secret computation failed");
 		return FALSE;
diff --git a/src/libimcv/pts/pts.h b/src/libimcv/pts/pts.h
index be32a3464..d525306dd 100644
--- a/src/libimcv/pts/pts.h
+++ b/src/libimcv/pts/pts.h
@@ -143,16 +143,18 @@ struct pts_t {
 	 *
 	 * @param value				My public DH value
 	 * @param nonce				My DH nonce
+	 * @return					TRUE if public value retrieved successfully
 	 */
-	void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
+	bool (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
 
 	/**
 	 * Set peer Diffie.Hellman public value
 	 *
 	 * @param value				Peer public DH value
 	 * @param nonce				Peer DH nonce
+	 * @return					TRUE if public value set successfully
 	 */
-	void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
+	bool (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
 
 	/**
 	 * Calculates assessment secret to be used for TPM Quote as ExternalData
diff --git a/src/libimcv/seg/seg_env.c b/src/libimcv/seg/seg_env.c
index c47ce2934..f38419248 100644
--- a/src/libimcv/seg/seg_env.c
+++ b/src/libimcv/seg/seg_env.c
@@ -219,6 +219,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
 	if (max_seg_size <  PA_TNC_ATTR_HEADER_SIZE ||
 		max_seg_size >= PA_TNC_ATTR_HEADER_SIZE + value.len)
 	{
+		base_attr->destroy(base_attr);
 		return NULL;
 	}
 
@@ -233,7 +234,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
 			.destroy = _destroy,
 		},
 		.base_attr_id = base_attr_id,
-		.base_attr = base_attr->get_ref(base_attr),
+		.base_attr = base_attr,
 		.max_seg_size = max_seg_size,
 		.data = base_attr->get_value(base_attr),
 	);
diff --git a/src/libimcv/seg/seg_env.h b/src/libimcv/seg/seg_env.h
index 08d33d752..611f9a98a 100644
--- a/src/libimcv/seg/seg_env.h
+++ b/src/libimcv/seg/seg_env.h
@@ -98,7 +98,7 @@ struct seg_env_t {
  * Create a PA-TNC attribute segment envelope object
  *
  * @param base_attr_id		Base Attribute ID
- * @param base_attr			Base Attribute to be segmented
+ * @param base_attr			Base Attribute to be segmented, owned by seg_env_t
  * @param max_seg_size		Maximum segment size
  */
 seg_env_t* seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c
index 469b1110d..8b51eda05 100644
--- a/src/libimcv/suites/test_imcv_seg.c
+++ b/src/libimcv/suites/test_imcv_seg.c
@@ -64,10 +64,11 @@ START_TEST(test_imcv_seg_env)
 	libimcv_init(FALSE);
 	max_seg_size  = seg_env_tests[_i].max_seg_size;
 	last_seg_size = seg_env_tests[_i].last_seg_size;
+
 	base_attr = ita_attr_command_create(command);
 	base_attr->build(base_attr);
-
 	seg_env = seg_env_create(id, base_attr, max_seg_size);
+
 	if (seg_env_tests[_i].next_segs == 0)
 	{
 		ck_assert(seg_env == NULL);
@@ -156,7 +157,6 @@ START_TEST(test_imcv_seg_env)
 		seg_env1->destroy(seg_env1);
 		base_attr1->destroy(base_attr1);
 	}
-	base_attr->destroy(base_attr);
 	libimcv_deinit();
 }
 END_TEST
@@ -226,7 +226,6 @@ START_TEST(test_imcv_seg_env_special)
 	/* cleanup */
 	attr->destroy(attr);
 	seg_env->destroy(seg_env);
-	base_attr->destroy(base_attr);
 }
 END_TEST
 
@@ -306,7 +305,8 @@ START_TEST(test_imcv_seg_contract)
 									 TRUE, issuer_id, FALSE);
 	contract_r = seg_contract_create(msg_type, max_attr_size, max_seg_size,
 									 FALSE, issuer_id, TRUE);
-	attr = contract_r->first_segment(contract_r, base_attr_r);
+	attr = contract_r->first_segment(contract_r,
+									 base_attr_r->get_ref(base_attr_r));
 
 	if (seg_env_tests[_i].next_segs == 0)
 	{
@@ -422,8 +422,8 @@ START_TEST(test_imcv_seg_contract_special)
 	ck_assert(!oversize);
 
 	/* get first segment of each base attribute */
-	attr1_f = contract_r->first_segment(contract_r, base_attr1_r);
-	attr2_f = contract_r->first_segment(contract_r, base_attr2_r);
+	attr1_f = contract_r->first_segment(contract_r, base_attr1_r->get_ref(base_attr1_r));
+	attr2_f = contract_r->first_segment(contract_r, base_attr2_r->get_ref(base_attr2_r));
 	ck_assert(attr1_f);
 	ck_assert(attr2_f);
 	seg_env_attr1 = (tcg_seg_attr_seg_env_t*)attr1_f;
diff --git a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
index 5b4cc273b..397882926 100644
--- a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
+++ b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
@@ -242,6 +242,8 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		this->count--;
 	}
 
+	status = SUCCESS;
+
 	if (this->length != this->offset)
 	{
 		DBG1(DBG_TNC, "inconsistent length for %N/%N", pen_names, PEN_TCG,
@@ -249,7 +251,6 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		*offset = this->offset;
 		status = FAILED;
 	}
-	status = SUCCESS;
 
 end:
 	reader->destroy(reader);
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 3663cf825..a80d28ac6 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -266,6 +266,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -326,10 +327,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -403,6 +406,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 0998efa9d..21dbd5e89 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -443,7 +443,7 @@ ip_packet_t *ip_packet_create_from_data(host_t *src, host_t *dst,
 		{
 			struct ip6_hdr ip = {
 				.ip6_flow = htonl(6),
-				.ip6_plen = htons(40 + data.len),
+				.ip6_plen = htons(data.len),
 				.ip6_nxt = next_header,
 				.ip6_hlim = 0x80,
 			};
diff --git a/src/libipsec/ipsec_event_listener.h b/src/libipsec/ipsec_event_listener.h
index c5c39b0f1..f15f6fe52 100644
--- a/src/libipsec/ipsec_event_listener.h
+++ b/src/libipsec/ipsec_event_listener.h
@@ -35,14 +35,12 @@ struct ipsec_event_listener_t {
 	/**
 	 * Called when the lifetime of an IPsec SA expired
 	 *
-	 * @param reqid			reqid of the expired SA
 	 * @param protocol		protocol of the expired SA
 	 * @param spi			spi of the expired SA
+	 * @param dst			destination address of expired SA
 	 * @param hard			TRUE if this is a hard expire, FALSE otherwise
 	 */
-	void (*expire)(u_int32_t reqid, u_int8_t protocol, u_int32_t spi,
-				   bool hard);
-
+	void (*expire)(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard);
 };
 
 #endif /** IPSEC_EVENT_LISTENER_H_ @}*/
diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
index c6b2a550d..048063053 100644
--- a/src/libipsec/ipsec_event_relay.c
+++ b/src/libipsec/ipsec_event_relay.c
@@ -65,9 +65,9 @@ typedef struct {
 	} type;
 
 	/**
-	 * Reqid of the SA, if any
+	 * Protocol of the SA
 	 */
-	u_int32_t reqid;
+	u_int8_t protocol;
 
 	/**
 	 * SPI of the SA, if any
@@ -75,13 +75,16 @@ typedef struct {
 	u_int32_t spi;
 
 	/**
+	 * SA destination address
+	 */
+	host_t *dst;
+
+	/**
 	 * Additional data for specific event types
 	 */
 	union {
 
 		struct {
-			/** Protocol of the SA */
-			u_int8_t protocol;
 			/** TRUE in case of a hard expire */
 			bool hard;
 		} expire;
@@ -91,6 +94,15 @@ typedef struct {
 } ipsec_event_t;
 
 /**
+ * Destroy IPsec event data
+ */
+static void ipsec_event_destroy(ipsec_event_t *event)
+{
+	event->dst->destroy(event->dst);
+	free(event);
+}
+
+/**
  * Dequeue events and relay them to listeners
  */
 static job_requeue_t handle_events(private_ipsec_event_relay_t *this)
@@ -110,31 +122,31 @@ static job_requeue_t handle_events(private_ipsec_event_relay_t *this)
 			case IPSEC_EVENT_EXPIRE:
 				if (current->expire)
 				{
-					current->expire(event->reqid, event->data.expire.protocol,
-									event->spi, event->data.expire.hard);
+					current->expire(event->protocol, event->spi, event->dst,
+									event->data.expire.hard);
 				}
 				break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-	free(event);
+	ipsec_event_destroy(event);
 	return JOB_REQUEUE_DIRECT;
 }
 
 METHOD(ipsec_event_relay_t, expire, void,
-	private_ipsec_event_relay_t *this, u_int32_t reqid, u_int8_t protocol,
-	u_int32_t spi, bool hard)
+	private_ipsec_event_relay_t *this, u_int8_t protocol, u_int32_t spi,
+	host_t *dst, bool hard)
 {
 	ipsec_event_t *event;
 
 	INIT(event,
 		.type = IPSEC_EVENT_EXPIRE,
-		.reqid = reqid,
+		.protocol = protocol,
 		.spi = spi,
+		.dst = dst->clone(dst),
 		.data = {
 			.expire = {
-				.protocol = protocol,
 				.hard = hard,
 			},
 		},
diff --git a/src/libipsec/ipsec_event_relay.h b/src/libipsec/ipsec_event_relay.h
index c6935d546..1dddf121b 100644
--- a/src/libipsec/ipsec_event_relay.h
+++ b/src/libipsec/ipsec_event_relay.h
@@ -38,13 +38,13 @@ struct ipsec_event_relay_t {
 	/**
 	 * Raise an expire event.
 	 *
-	 * @param reqid			reqid of the expired IPsec SA
 	 * @param protocol		protocol (e.g ESP) of the expired SA
 	 * @param spi			SPI of the expired SA
+	 * @param dst			destination address of expired SA
 	 * @param hard			TRUE for a hard expire, FALSE otherwise
 	 */
-	void (*expire)(ipsec_event_relay_t *this, u_int32_t reqid,
-				   u_int8_t protocol, u_int32_t spi, bool hard);
+	void (*expire)(ipsec_event_relay_t *this, u_int8_t protocol, u_int32_t spi,
+				   host_t *dst, bool hard);
 
 	/**
 	 * Register a listener to events raised by this manager
diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c
index 6ec8bd25e..ccbbb1b3c 100644
--- a/src/libipsec/ipsec_sa.c
+++ b/src/libipsec/ipsec_sa.c
@@ -194,8 +194,8 @@ METHOD(ipsec_sa_t, expire, void,
 		if (!this->hard_expired)
 		{
 			this->hard_expired = TRUE;
-			ipsec->events->expire(ipsec->events, this->reqid, this->protocol,
-								  this->spi, TRUE);
+			ipsec->events->expire(ipsec->events, this->protocol, this->spi,
+								  this->dst, TRUE);
 		}
 	}
 	else
@@ -203,8 +203,8 @@ METHOD(ipsec_sa_t, expire, void,
 		if (!this->hard_expired && !this->soft_expired)
 		{
 			this->soft_expired = TRUE;
-			ipsec->events->expire(ipsec->events, this->reqid, this->protocol,
-								  this->spi, FALSE);
+			ipsec->events->expire(ipsec->events, this->protocol, this->spi,
+								  this->dst, FALSE);
 		}
 	}
 }
@@ -275,8 +275,7 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
 		u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
 		lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 		u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-		u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
-		traffic_selector_t *src_ts,	traffic_selector_t *dst_ts)
+		u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound)
 {
 	private_ipsec_sa_t *this;
 
diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h
index 5e69f18cf..8dad29ac5 100644
--- a/src/libipsec/ipsec_sa.h
+++ b/src/libipsec/ipsec_sa.h
@@ -197,8 +197,6 @@ struct ipsec_sa_t {
  * @param encap			enable UDP encapsulation (must be TRUE)
  * @param esn			Extended Sequence Numbers (currently not supported)
  * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
- * @param src_ts		source traffic selector
- * @param dst_ts		destination traffic selector
  * @return				the IPsec SA, or NULL if the creation failed
  */
 ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
@@ -207,8 +205,6 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
 							u_int16_t enc_alg, chunk_t enc_key,
 							u_int16_t int_alg, chunk_t int_key,
 							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-							bool encap, bool esn, bool inbound,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts);
+							bool encap, bool esn, bool inbound);
 
 #endif /** IPSEC_SA_H_ @}*/
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index 1db1776c0..07ffa9e4f 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -396,12 +396,10 @@ static bool allocate_spi(private_ipsec_sa_mgr_t *this, u_int32_t spi)
 
 METHOD(ipsec_sa_mgr_t, get_spi, status_t,
 	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int8_t protocol,
-	u_int32_t reqid, u_int32_t *spi)
+	u_int32_t *spi)
 {
 	u_int32_t spi_new;
 
-	DBG2(DBG_ESP, "allocating SPI for reqid {%u}", reqid);
-
 	this->mutex->lock(this->mutex);
 	if (!this->rng)
 	{
@@ -420,7 +418,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
 								 (u_int8_t*)&spi_new))
 		{
 			this->mutex->unlock(this->mutex);
-			DBG1(DBG_ESP, "failed to allocate SPI for reqid {%u}", reqid);
+			DBG1(DBG_ESP, "failed to allocate SPI");
 			return FAILED;
 		}
 		/* make sure the SPI is valid (not in range 0-255) */
@@ -432,7 +430,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
 
 	*spi = spi_new;
 
-	DBG2(DBG_ESP, "allocated SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+	DBG2(DBG_ESP, "allocated SPI %.8x", ntohl(*spi));
 	return SUCCESS;
 }
 
@@ -442,7 +440,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	bool update)
 {
 	ipsec_sa_entry_t *entry;
 	ipsec_sa_t *sa_new;
@@ -456,7 +454,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 
 	sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc,
 							 lifetime, enc_alg, enc_key, int_alg, int_key, mode,
-							 ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
+							 ipcomp, cpi, encap, esn, inbound);
 	if (!sa_new)
 	{
 		DBG1(DBG_ESP, "failed to create SAD entry");
@@ -465,7 +463,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 
 	this->mutex->lock(this->mutex);
 
-	if (inbound)
+	if (update)
 	{	/* remove any pre-allocated SPIs */
 		u_int32_t *spi_alloc;
 
diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
index 8c234cefa..a57eab4e7 100644
--- a/src/libipsec/ipsec_sa_mgr.h
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -45,12 +45,11 @@ struct ipsec_sa_mgr_t {
 	 * @param src			source address of the SA
 	 * @param dst			destination address of the SA
 	 * @param protocol		protocol of the SA (only ESP supported)
-	 * @param reqid			reqid for the SA
 	 * @param spi			the allocated SPI
 	 * @return				SUCCESS of operation successful
 	 */
 	status_t (*get_spi)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
-						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+						u_int8_t protocol, u_int32_t *spi);
 
 	/**
 	 * Add a new SA
@@ -74,8 +73,7 @@ struct ipsec_sa_mgr_t {
 	 * @param encap			enable UDP encapsulation (must be TRUE)
 	 * @param esn			Extended Sequence Numbers (currently not supported)
 	 * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
-	 * @param src_ts		source traffic selector
-	 * @param dst_ts		destination traffic selector
+	 * @param update		TRUE if an SPI has already been allocated for SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
@@ -84,8 +82,7 @@ struct ipsec_sa_mgr_t {
 					   u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg,
 					   chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 					   u_int16_t cpi, bool initiator, bool encap, bool esn,
-					   bool inbound, traffic_selector_t *src_ts,
-					   traffic_selector_t *dst_ts);
+					   bool inbound, bool update);
 
 	/**
 	 * Update the hosts on an installed SA.
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index 74cd8084a..96d1ae4aa 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index faaae70fe..5dd8ac56b 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -222,6 +222,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -282,10 +283,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -359,6 +362,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c
index f432151c0..fe9cf3c01 100644
--- a/src/libradius/radius_socket.c
+++ b/src/libradius/radius_socket.c
@@ -129,7 +129,7 @@ METHOD(radius_socket_t, request, radius_message_t*,
 	private_radius_socket_t *this, radius_message_t *request)
 {
 	chunk_t data;
-	int i, *fd;
+	int i, *fd, retransmit = 0;
 	u_int16_t port;
 	rng_t *rng = NULL;
 
@@ -166,64 +166,59 @@ METHOD(radius_socket_t, request, radius_message_t*,
 	for (i = 2; i <= 5; i++)
 	{
 		radius_message_t *response;
-		bool retransmit = FALSE;
-		struct timeval tv;
 		char buf[4096];
-		fd_set fds;
 		int res;
+		struct pollfd pfd = {
+			.fd = *fd,
+			.events = POLLIN,
+		};
 
+		if (retransmit)
+		{
+			DBG1(DBG_CFG, "retransmitting RADIUS %N (attempt %d)",
+				 radius_message_code_names, request->get_code(request),
+				 retransmit);
+		}
 		if (send(*fd, data.ptr, data.len, 0) != data.len)
 		{
 			DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
 			return NULL;
 		}
-		tv.tv_sec = i;
-		tv.tv_usec = 0;
-
-		while (TRUE)
+		res = poll(&pfd, 1, i * 1000);
+		if (res < 0)
 		{
-			FD_ZERO(&fds);
-			FD_SET(*fd, &fds);
-			res = select((*fd) + 1, &fds, NULL, NULL, &tv);
-			/* TODO: updated tv to time not waited. Linux does this for us. */
-			if (res < 0)
-			{	/* failed */
-				DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
-					 strerror(errno));
-				break;
-			}
-			if (res == 0)
-			{	/* timeout */
-				DBG1(DBG_CFG, "retransmitting RADIUS message");
-				retransmit = TRUE;
-				break;
-			}
-			res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT);
-			if (res <= 0)
-			{
-				DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
-					 strerror(errno));
-				break;
-			}
-			response = radius_message_parse(chunk_create(buf, res));
-			if (response)
-			{
-				if (response->verify(response,
-							request->get_authenticator(request), this->secret,
-							this->hasher, this->signer))
-				{
-					return response;
-				}
-				response->destroy(response);
-			}
-			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+			DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
+				 strerror(errno));
+			return NULL;
+		}
+		if (res == 0)
+		{	/* timeout */
+			retransmit++;
+			continue;
 		}
-		if (!retransmit)
+		res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT);
+		if (res <= 0)
 		{
-			break;
+			DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
+				 strerror(errno));
+			return NULL;
 		}
+		response = radius_message_parse(chunk_create(buf, res));
+		if (response)
+		{
+			if (response->verify(response,
+						request->get_authenticator(request), this->secret,
+						this->hasher, this->signer))
+			{
+				return response;
+			}
+			response->destroy(response);
+		}
+		DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+		return NULL;
 	}
-	DBG1(DBG_CFG, "RADIUS server is not responding");
+	DBG1(DBG_CFG, "RADIUS %N timed out after %d retransmits",
+		 radius_message_code_names, request->get_code(request), retransmit - 1);
 	return NULL;
 }
 
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index a16991927..79962d3bd 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -222,6 +222,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -282,10 +283,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -359,6 +362,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 9b775f9b3..2a8894b0e 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -8,12 +8,14 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
 collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
 collections/array.c \
 collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
+crypto/hashers/hash_algorithm_set.c \
 crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
 crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
 crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
 crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
 crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
 credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 0083ffe6b..fbc752687 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -6,12 +6,14 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
 collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
 collections/array.c \
 collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
+crypto/hashers/hash_algorithm_set.c \
 crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
 crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
 crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
 crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
 crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
 credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
@@ -60,13 +62,15 @@ library.h \
 asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
 collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
 collections/linked_list.h collections/array.h collections/dictionary.h \
-crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
+crypto/crypters/crypter.h crypto/hashers/hasher.h \
+crypto/hashers/hash_algorithm_set.h crypto/mac.h \
 crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
 crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
 crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
 crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
 credentials/credential_factory.h credentials/builder.h \
 credentials/cred_encoding.h credentials/keys/private_key.h \
 credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -101,8 +105,8 @@ utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
 utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
 utils/leak_detective.h utils/printf_hook/printf_hook.h \
 utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
-utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/windows.h \
-utils/process.h utils/utils/strerror.h
+utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \
+utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h
 endif
 
 library.lo :	$(top_builddir)/config.status
@@ -133,7 +137,7 @@ if USE_WINDOWS
     threading/windows/rwlock.c \
     threading/windows/spinlock.c \
     threading/windows/semaphore.c \
-    utils/windows.c
+    utils/compat/windows.c
 else
   libstrongswan_la_LIBADD += $(PTHREADLIB)
 endif
@@ -425,6 +429,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_FILES
+  SUBDIRS += plugins/files
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/files/libstrongswan-files.la
+endif
+endif
+
 if USE_WINHTTP
   SUBDIRS += plugins/winhttp
 if MONOLITHIC
@@ -544,6 +555,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_BLISS
+  SUBDIRS += plugins/bliss
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/bliss/libstrongswan-bliss.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC
@@ -555,3 +573,6 @@ if MONOLITHIC
   SUBDIRS += .
 endif
 SUBDIRS += tests
+if USE_BLISS
+  SUBDIRS += plugins/bliss/tests
+endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 40678cbde..99b18a757 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -97,7 +97,7 @@ host_triplet = @host@
 @USE_WINDOWS_TRUE@    threading/windows/rwlock.c \
 @USE_WINDOWS_TRUE@    threading/windows/spinlock.c \
 @USE_WINDOWS_TRUE@    threading/windows/semaphore.c \
-@USE_WINDOWS_TRUE@    utils/windows.c
+@USE_WINDOWS_TRUE@    utils/compat/windows.c
 
 @USE_WINDOWS_FALSE@am__append_4 = $(PTHREADLIB)
 @USE_DBGHELP_TRUE@am__append_5 = -ldbghelp
@@ -173,42 +173,47 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_75 = plugins/pem/libstrongswan-pem.la
 @USE_CURL_TRUE@am__append_76 = plugins/curl
 @MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_77 = plugins/curl/libstrongswan-curl.la
-@USE_WINHTTP_TRUE@am__append_78 = plugins/winhttp
-@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_79 = plugins/winhttp/libstrongswan-winhttp.la
-@USE_UNBOUND_TRUE@am__append_80 = plugins/unbound
-@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_81 = plugins/unbound/libstrongswan-unbound.la
-@USE_SOUP_TRUE@am__append_82 = plugins/soup
-@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_83 = plugins/soup/libstrongswan-soup.la
-@USE_LDAP_TRUE@am__append_84 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_85 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_86 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_87 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_88 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_89 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_90 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_91 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_92 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_93 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_94 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_95 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_96 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_97 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_98 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_99 = plugins/agent/libstrongswan-agent.la
-@USE_KEYCHAIN_TRUE@am__append_100 = plugins/keychain
-@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_101 = plugins/keychain/libstrongswan-keychain.la
-@USE_PKCS11_TRUE@am__append_102 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_103 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_104 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_105 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_106 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_107 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_108 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_109 = plugins/gcm/libstrongswan-gcm.la
-@USE_NTRU_TRUE@am__append_110 = plugins/ntru
-@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_111 = plugins/ntru/libstrongswan-ntru.la
-@USE_TEST_VECTORS_TRUE@am__append_112 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_113 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_FILES_TRUE@am__append_78 = plugins/files
+@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_79 = plugins/files/libstrongswan-files.la
+@USE_WINHTTP_TRUE@am__append_80 = plugins/winhttp
+@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_81 = plugins/winhttp/libstrongswan-winhttp.la
+@USE_UNBOUND_TRUE@am__append_82 = plugins/unbound
+@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_83 = plugins/unbound/libstrongswan-unbound.la
+@USE_SOUP_TRUE@am__append_84 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_85 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_86 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_87 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_88 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_89 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_90 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_91 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_92 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_93 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_94 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_95 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_96 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_97 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_98 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_99 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_100 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_101 = plugins/agent/libstrongswan-agent.la
+@USE_KEYCHAIN_TRUE@am__append_102 = plugins/keychain
+@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_103 = plugins/keychain/libstrongswan-keychain.la
+@USE_PKCS11_TRUE@am__append_104 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_105 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_106 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_107 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_108 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_109 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_110 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_111 = plugins/gcm/libstrongswan-gcm.la
+@USE_NTRU_TRUE@am__append_112 = plugins/ntru
+@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_113 = plugins/ntru/libstrongswan-ntru.la
+@USE_BLISS_TRUE@am__append_114 = plugins/bliss
+@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_115 = plugins/bliss/libstrongswan-bliss.la
+@USE_TEST_VECTORS_TRUE@am__append_116 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_117 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_BLISS_TRUE@am__append_118 = plugins/bliss/tests
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	settings/settings_parser.h settings/settings_parser.c \
@@ -287,13 +292,14 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_95) $(am__append_97) $(am__append_99) \
 	$(am__append_101) $(am__append_103) $(am__append_105) \
 	$(am__append_107) $(am__append_109) $(am__append_111) \
-	$(am__append_113)
+	$(am__append_113) $(am__append_115) $(am__append_117)
 am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
 	bio/bio_writer.c collections/blocking_queue.c \
 	collections/enumerator.c collections/hashtable.c \
 	collections/array.c collections/linked_list.c \
 	crypto/crypters/crypter.c crypto/hashers/hasher.c \
+	crypto/hashers/hash_algorithm_set.c \
 	crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
 	crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
@@ -301,7 +307,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	crypto/signers/mac_signer.c crypto/crypto_factory.c \
 	crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
 	crypto/transform.c crypto/iv/iv_gen_rand.c \
-	crypto/iv/iv_gen_seq.c credentials/credential_factory.c \
+	crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \
+	crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \
 	credentials/builder.c credentials/cred_encoding.c \
 	credentials/keys/private_key.c credentials/keys/public_key.c \
 	credentials/keys/shared_key.c \
@@ -342,7 +349,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	threading/windows/thread.c threading/windows/thread_value.c \
 	threading/windows/mutex.c threading/windows/rwlock.c \
 	threading/windows/spinlock.c threading/windows/semaphore.c \
-	utils/windows.c utils/leak_detective.c \
+	utils/compat/windows.c utils/leak_detective.c \
 	utils/integrity_checker.c utils/printf_hook/printf_hook_vstr.c \
 	utils/printf_hook/printf_hook_builtin.c \
 	utils/printf_hook/printf_hook_glibc.c
@@ -360,7 +367,7 @@ am__dirstamp = $(am__leading_dot)dirstamp
 @USE_WINDOWS_TRUE@	threading/windows/rwlock.lo \
 @USE_WINDOWS_TRUE@	threading/windows/spinlock.lo \
 @USE_WINDOWS_TRUE@	threading/windows/semaphore.lo \
-@USE_WINDOWS_TRUE@	utils/windows.lo
+@USE_WINDOWS_TRUE@	utils/compat/windows.lo
 @USE_LEAK_DETECTIVE_TRUE@am__objects_3 = utils/leak_detective.lo
 @USE_INTEGRITY_TEST_TRUE@am__objects_4 = utils/integrity_checker.lo
 @USE_VSTR_TRUE@am__objects_5 = utils/printf_hook/printf_hook_vstr.lo
@@ -372,6 +379,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
 	collections/enumerator.lo collections/hashtable.lo \
 	collections/array.lo collections/linked_list.lo \
 	crypto/crypters/crypter.lo crypto/hashers/hasher.lo \
+	crypto/hashers/hash_algorithm_set.lo \
 	crypto/proposal/proposal_keywords.lo \
 	crypto/proposal/proposal_keywords_static.lo crypto/prfs/prf.lo \
 	crypto/prfs/mac_prf.lo crypto/pkcs5.lo crypto/rngs/rng.lo \
@@ -379,10 +387,11 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
 	crypto/signers/mac_signer.lo crypto/crypto_factory.lo \
 	crypto/crypto_tester.lo crypto/diffie_hellman.lo \
 	crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen_rand.lo \
-	crypto/iv/iv_gen_seq.lo credentials/credential_factory.lo \
-	credentials/builder.lo credentials/cred_encoding.lo \
-	credentials/keys/private_key.lo credentials/keys/public_key.lo \
-	credentials/keys/shared_key.lo \
+	crypto/iv/iv_gen_seq.lo crypto/mgf1/mgf1.lo \
+	crypto/mgf1/mgf1_bitspender.lo \
+	credentials/credential_factory.lo credentials/builder.lo \
+	credentials/cred_encoding.lo credentials/keys/private_key.lo \
+	credentials/keys/public_key.lo credentials/keys/shared_key.lo \
 	credentials/certificates/certificate.lo \
 	credentials/certificates/crl.lo \
 	credentials/certificates/ocsp_response.lo \
@@ -493,8 +502,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	collections/enumerator.h collections/hashtable.h \
 	collections/linked_list.h collections/array.h \
 	collections/dictionary.h crypto/crypters/crypter.h \
-	crypto/hashers/hasher.h crypto/mac.h \
-	crypto/proposal/proposal_keywords.h \
+	crypto/hashers/hasher.h crypto/hashers/hash_algorithm_set.h \
+	crypto/mac.h crypto/proposal/proposal_keywords.h \
 	crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \
 	crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 	crypto/prf_plus.h crypto/signers/signer.h \
@@ -502,6 +511,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \
 	crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
 	crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+	crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
 	credentials/credential_factory.h credentials/builder.h \
 	credentials/cred_encoding.h credentials/keys/private_key.h \
 	credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -548,8 +558,9 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	utils/printf_hook/printf_hook.h \
 	utils/printf_hook/printf_hook_vstr.h \
 	utils/printf_hook/printf_hook_builtin.h utils/parser_helper.h \
-	utils/test.h utils/integrity_checker.h utils/windows.h \
-	utils/process.h utils/utils/strerror.h
+	utils/test.h utils/integrity_checker.h utils/process.h \
+	utils/utils/strerror.h utils/compat/windows.h \
+	utils/compat/apple.h
 HEADERS = $(nobase_strongswan_include_HEADERS) $(noinst_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
@@ -586,11 +597,12 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
 	plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \
 	plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \
 	plugins/dnskey plugins/sshkey plugins/pem plugins/curl \
-	plugins/winhttp plugins/unbound plugins/soup plugins/ldap \
-	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
-	plugins/gcrypt plugins/fips_prf plugins/agent plugins/keychain \
-	plugins/pkcs11 plugins/ctr plugins/ccm plugins/gcm \
-	plugins/ntru plugins/test_vectors tests
+	plugins/files plugins/winhttp plugins/unbound plugins/soup \
+	plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \
+	plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \
+	plugins/keychain plugins/pkcs11 plugins/ctr plugins/ccm \
+	plugins/gcm plugins/ntru plugins/bliss plugins/test_vectors \
+	tests plugins/bliss/tests
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -642,6 +654,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -702,10 +715,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -779,6 +794,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -843,14 +860,16 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	collections/blocking_queue.c collections/enumerator.c \
 	collections/hashtable.c collections/array.c \
 	collections/linked_list.c crypto/crypters/crypter.c \
-	crypto/hashers/hasher.c crypto/proposal/proposal_keywords.c \
+	crypto/hashers/hasher.c crypto/hashers/hash_algorithm_set.c \
+	crypto/proposal/proposal_keywords.c \
 	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
 	crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
 	crypto/prf_plus.c crypto/signers/signer.c \
 	crypto/signers/mac_signer.c crypto/crypto_factory.c \
 	crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
 	crypto/transform.c crypto/iv/iv_gen_rand.c \
-	crypto/iv/iv_gen_seq.c credentials/credential_factory.c \
+	crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \
+	crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \
 	credentials/builder.c credentials/cred_encoding.c \
 	credentials/keys/private_key.c credentials/keys/public_key.c \
 	credentials/keys/shared_key.c \
@@ -898,13 +917,15 @@ settings/settings_types.h
 @USE_DEV_HEADERS_TRUE@asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
 @USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
 @USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h collections/dictionary.h \
-@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
+@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h \
+@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h \
 @USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
 @USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 @USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
 @USE_DEV_HEADERS_TRUE@crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
 @USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+@USE_DEV_HEADERS_TRUE@crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
 @USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \
 @USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \
 @USE_DEV_HEADERS_TRUE@credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -939,8 +960,8 @@ settings/settings_types.h
 @USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
 @USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook/printf_hook.h \
 @USE_DEV_HEADERS_TRUE@utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
-@USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/windows.h \
-@USE_DEV_HEADERS_TRUE@utils/process.h utils/utils/strerror.h
+@USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \
+@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h
 
 libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \
 	$(BFDLIB) $(UNWINDLIB) $(am__append_2) $(am__append_4) \
@@ -961,7 +982,7 @@ libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \
 	$(am__append_95) $(am__append_97) $(am__append_99) \
 	$(am__append_101) $(am__append_103) $(am__append_105) \
 	$(am__append_107) $(am__append_109) $(am__append_111) \
-	$(am__append_113)
+	$(am__append_113) $(am__append_115) $(am__append_117)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
 	-DPLUGINDIR=\"${plugindir}\" \
@@ -1011,7 +1032,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_98) $(am__append_100) \
 @MONOLITHIC_FALSE@	$(am__append_102) $(am__append_104) \
 @MONOLITHIC_FALSE@	$(am__append_106) $(am__append_108) \
-@MONOLITHIC_FALSE@	$(am__append_110) $(am__append_112) tests
+@MONOLITHIC_FALSE@	$(am__append_110) $(am__append_112) \
+@MONOLITHIC_FALSE@	$(am__append_114) $(am__append_116) tests \
+@MONOLITHIC_FALSE@	$(am__append_118)
 
 # build plugins with their own Makefile
 #######################################
@@ -1038,7 +1061,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_98) $(am__append_100) \
 @MONOLITHIC_TRUE@	$(am__append_102) $(am__append_104) \
 @MONOLITHIC_TRUE@	$(am__append_106) $(am__append_108) \
-@MONOLITHIC_TRUE@	$(am__append_110) $(am__append_112) . tests
+@MONOLITHIC_TRUE@	$(am__append_110) $(am__append_112) \
+@MONOLITHIC_TRUE@	$(am__append_114) $(am__append_116) . tests \
+@MONOLITHIC_TRUE@	$(am__append_118)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -1159,6 +1184,8 @@ crypto/hashers/$(DEPDIR)/$(am__dirstamp):
 	@: > crypto/hashers/$(DEPDIR)/$(am__dirstamp)
 crypto/hashers/hasher.lo: crypto/hashers/$(am__dirstamp) \
 	crypto/hashers/$(DEPDIR)/$(am__dirstamp)
+crypto/hashers/hash_algorithm_set.lo: crypto/hashers/$(am__dirstamp) \
+	crypto/hashers/$(DEPDIR)/$(am__dirstamp)
 crypto/proposal/$(am__dirstamp):
 	@$(MKDIR_P) crypto/proposal
 	@: > crypto/proposal/$(am__dirstamp)
@@ -1228,6 +1255,16 @@ crypto/iv/iv_gen_rand.lo: crypto/iv/$(am__dirstamp) \
 	crypto/iv/$(DEPDIR)/$(am__dirstamp)
 crypto/iv/iv_gen_seq.lo: crypto/iv/$(am__dirstamp) \
 	crypto/iv/$(DEPDIR)/$(am__dirstamp)
+crypto/mgf1/$(am__dirstamp):
+	@$(MKDIR_P) crypto/mgf1
+	@: > crypto/mgf1/$(am__dirstamp)
+crypto/mgf1/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) crypto/mgf1/$(DEPDIR)
+	@: > crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
+crypto/mgf1/mgf1.lo: crypto/mgf1/$(am__dirstamp) \
+	crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
+crypto/mgf1/mgf1_bitspender.lo: crypto/mgf1/$(am__dirstamp) \
+	crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
 credentials/$(am__dirstamp):
 	@$(MKDIR_P) credentials
 	@: > credentials/$(am__dirstamp)
@@ -1517,8 +1554,14 @@ threading/windows/spinlock.lo: threading/windows/$(am__dirstamp) \
 	threading/windows/$(DEPDIR)/$(am__dirstamp)
 threading/windows/semaphore.lo: threading/windows/$(am__dirstamp) \
 	threading/windows/$(DEPDIR)/$(am__dirstamp)
-utils/windows.lo: utils/$(am__dirstamp) \
-	utils/$(DEPDIR)/$(am__dirstamp)
+utils/compat/$(am__dirstamp):
+	@$(MKDIR_P) utils/compat
+	@: > utils/compat/$(am__dirstamp)
+utils/compat/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) utils/compat/$(DEPDIR)
+	@: > utils/compat/$(DEPDIR)/$(am__dirstamp)
+utils/compat/windows.lo: utils/compat/$(am__dirstamp) \
+	utils/compat/$(DEPDIR)/$(am__dirstamp)
 utils/leak_detective.lo: utils/$(am__dirstamp) \
 	utils/$(DEPDIR)/$(am__dirstamp)
 utils/integrity_checker.lo: utils/$(am__dirstamp) \
@@ -1568,6 +1611,8 @@ mostlyclean-compile:
 	-rm -f crypto/hashers/*.lo
 	-rm -f crypto/iv/*.$(OBJEXT)
 	-rm -f crypto/iv/*.lo
+	-rm -f crypto/mgf1/*.$(OBJEXT)
+	-rm -f crypto/mgf1/*.lo
 	-rm -f crypto/prfs/*.$(OBJEXT)
 	-rm -f crypto/prfs/*.lo
 	-rm -f crypto/proposal/*.$(OBJEXT)
@@ -1608,6 +1653,8 @@ mostlyclean-compile:
 	-rm -f threading/windows/*.lo
 	-rm -f utils/*.$(OBJEXT)
 	-rm -f utils/*.lo
+	-rm -f utils/compat/*.$(OBJEXT)
+	-rm -f utils/compat/*.lo
 	-rm -f utils/printf_hook/*.$(OBJEXT)
 	-rm -f utils/printf_hook/*.lo
 	-rm -f utils/utils/*.$(OBJEXT)
@@ -1653,9 +1700,12 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/$(DEPDIR)/prf_plus.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/$(DEPDIR)/transform.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/crypters/$(DEPDIR)/crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hash_algorithm_set.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_rand.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1_bitspender.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/mac_prf.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/prf.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords.Plo@am__quote@
@@ -1721,7 +1771,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/process.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/test.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/utils.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/windows.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/compat/$(DEPDIR)/windows.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_builtin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_glibc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_vstr.Plo@am__quote@
@@ -1774,6 +1824,7 @@ clean-libtool:
 	-rm -rf crypto/crypters/.libs crypto/crypters/_libs
 	-rm -rf crypto/hashers/.libs crypto/hashers/_libs
 	-rm -rf crypto/iv/.libs crypto/iv/_libs
+	-rm -rf crypto/mgf1/.libs crypto/mgf1/_libs
 	-rm -rf crypto/prfs/.libs crypto/prfs/_libs
 	-rm -rf crypto/proposal/.libs crypto/proposal/_libs
 	-rm -rf crypto/rngs/.libs crypto/rngs/_libs
@@ -1794,6 +1845,7 @@ clean-libtool:
 	-rm -rf threading/.libs threading/_libs
 	-rm -rf threading/windows/.libs threading/windows/_libs
 	-rm -rf utils/.libs utils/_libs
+	-rm -rf utils/compat/.libs utils/compat/_libs
 	-rm -rf utils/printf_hook/.libs utils/printf_hook/_libs
 	-rm -rf utils/utils/.libs utils/utils/_libs
 install-nobase_strongswan_includeHEADERS: $(nobase_strongswan_include_HEADERS)
@@ -2035,6 +2087,8 @@ distclean-generic:
 	-rm -f crypto/hashers/$(am__dirstamp)
 	-rm -f crypto/iv/$(DEPDIR)/$(am__dirstamp)
 	-rm -f crypto/iv/$(am__dirstamp)
+	-rm -f crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
+	-rm -f crypto/mgf1/$(am__dirstamp)
 	-rm -f crypto/prfs/$(DEPDIR)/$(am__dirstamp)
 	-rm -f crypto/prfs/$(am__dirstamp)
 	-rm -f crypto/proposal/$(DEPDIR)/$(am__dirstamp)
@@ -2075,6 +2129,8 @@ distclean-generic:
 	-rm -f threading/windows/$(am__dirstamp)
 	-rm -f utils/$(DEPDIR)/$(am__dirstamp)
 	-rm -f utils/$(am__dirstamp)
+	-rm -f utils/compat/$(DEPDIR)/$(am__dirstamp)
+	-rm -f utils/compat/$(am__dirstamp)
 	-rm -f utils/printf_hook/$(DEPDIR)/$(am__dirstamp)
 	-rm -f utils/printf_hook/$(am__dirstamp)
 	-rm -f utils/utils/$(DEPDIR)/$(am__dirstamp)
@@ -2094,7 +2150,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
 	mostlyclean-am
 
 distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/mgf1/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/compat/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -2141,7 +2197,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/mgf1/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/compat/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index b479b0f4b..a750f7fcb 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -199,12 +199,12 @@ const oid_t oid_names[] = {
  {              0x02,         187, 0,  7, "ecdsa-with-SHA256"              }, /* 186 */
  {              0x03,         188, 0,  7, "ecdsa-with-SHA384"              }, /* 187 */
  {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 188 */
- {0x2B,                       391, 1,  0, ""                               }, /* 189 */
- {  0x06,                     305, 1,  1, "dod"                            }, /* 190 */
+ {0x2B,                       413, 1,  0, ""                               }, /* 189 */
+ {  0x06,                     327, 1,  1, "dod"                            }, /* 190 */
  {    0x01,                     0, 1,  2, "internet"                       }, /* 191 */
- {      0x04,                 256, 1,  3, "private"                        }, /* 192 */
+ {      0x04,                 278, 1,  3, "private"                        }, /* 192 */
  {        0x01,                 0, 1,  4, "enterprise"                     }, /* 193 */
- {          0x82,             210, 1,  5, ""                               }, /* 194 */
+ {          0x82,             228, 1,  5, ""                               }, /* 194 */
  {            0x37,           207, 1,  6, "Microsoft"                      }, /* 195 */
  {              0x0A,         200, 1,  7, ""                               }, /* 196 */
  {                0x03,         0, 1,  8, ""                               }, /* 197 */
@@ -219,248 +219,270 @@ const oid_t oid_names[] = {
  {                0x0A,         0, 0,  8, "msApplicationCertPolicies"      }, /* 206 */
  {            0xA0,             0, 1,  6, ""                               }, /* 207 */
  {              0x2A,           0, 1,  7, "ITA"                            }, /* 208 */
- {                0x01,         0, 0,  8, "strongSwan"                     }, /* 209 */
- {          0x89,             217, 1,  5, ""                               }, /* 210 */
- {            0x31,             0, 1,  6, ""                               }, /* 211 */
- {              0x01,           0, 1,  7, ""                               }, /* 212 */
- {                0x01,         0, 1,  8, ""                               }, /* 213 */
- {                  0x02,       0, 1,  9, ""                               }, /* 214 */
- {                    0x02,     0, 1, 10, ""                               }, /* 215 */
- {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 216 */
- {          0xC1,               0, 1,  5, ""                               }, /* 217 */
- {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 218 */
- {              0x01,           0, 1,  7, "eess"                           }, /* 219 */
- {                0x01,         0, 1,  8, "eess1"                          }, /* 220 */
- {                  0x01,     225, 1,  9, "eess1-algs"                     }, /* 221 */
- {                    0x01,   223, 0, 10, "ntru-EESS1v1-SVES"              }, /* 222 */
- {                    0x02,   224, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 223 */
- {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 224 */
- {                  0x02,     255, 1,  9, "eess1-params"                   }, /* 225 */
- {                    0x01,   227, 0, 10, "ees251ep1"                      }, /* 226 */
- {                    0x02,   228, 0, 10, "ees347ep1"                      }, /* 227 */
- {                    0x03,   229, 0, 10, "ees503ep1"                      }, /* 228 */
- {                    0x07,   230, 0, 10, "ees251sp2"                      }, /* 229 */
- {                    0x0C,   231, 0, 10, "ees251ep4"                      }, /* 230 */
- {                    0x0D,   232, 0, 10, "ees251ep5"                      }, /* 231 */
- {                    0x0E,   233, 0, 10, "ees251sp3"                      }, /* 232 */
- {                    0x0F,   234, 0, 10, "ees251sp4"                      }, /* 233 */
- {                    0x10,   235, 0, 10, "ees251sp5"                      }, /* 234 */
- {                    0x11,   236, 0, 10, "ees251sp6"                      }, /* 235 */
- {                    0x12,   237, 0, 10, "ees251sp7"                      }, /* 236 */
- {                    0x13,   238, 0, 10, "ees251sp8"                      }, /* 237 */
- {                    0x14,   239, 0, 10, "ees251sp9"                      }, /* 238 */
- {                    0x22,   240, 0, 10, "ees401ep1"                      }, /* 239 */
- {                    0x23,   241, 0, 10, "ees449ep1"                      }, /* 240 */
- {                    0x24,   242, 0, 10, "ees677ep1"                      }, /* 241 */
- {                    0x25,   243, 0, 10, "ees1087ep2"                     }, /* 242 */
- {                    0x26,   244, 0, 10, "ees541ep1"                      }, /* 243 */
- {                    0x27,   245, 0, 10, "ees613ep1"                      }, /* 244 */
- {                    0x28,   246, 0, 10, "ees887ep1"                      }, /* 245 */
- {                    0x29,   247, 0, 10, "ees1171ep1"                     }, /* 246 */
- {                    0x2A,   248, 0, 10, "ees659ep1"                      }, /* 247 */
- {                    0x2B,   249, 0, 10, "ees761ep1"                      }, /* 248 */
- {                    0x2C,   250, 0, 10, "ees1087ep1"                     }, /* 249 */
- {                    0x2D,   251, 0, 10, "ees1499ep1"                     }, /* 250 */
- {                    0x2E,   252, 0, 10, "ees401ep2"                      }, /* 251 */
- {                    0x2F,   253, 0, 10, "ees439ep1"                      }, /* 252 */
- {                    0x30,   254, 0, 10, "ees593ep1"                      }, /* 253 */
- {                    0x31,     0, 0, 10, "ees743ep1"                      }, /* 254 */
- {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 255 */
- {      0x05,                   0, 1,  3, "security"                       }, /* 256 */
- {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 257 */
- {          0x07,             302, 1,  5, "id-pkix"                        }, /* 258 */
- {            0x01,           263, 1,  6, "id-pe"                          }, /* 259 */
- {              0x01,         261, 0,  7, "authorityInfoAccess"            }, /* 260 */
- {              0x03,         262, 0,  7, "qcStatements"                   }, /* 261 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 262 */
- {            0x02,           266, 1,  6, "id-qt"                          }, /* 263 */
- {              0x01,         265, 0,  7, "cps"                            }, /* 264 */
- {              0x02,           0, 0,  7, "unotice"                        }, /* 265 */
- {            0x03,           276, 1,  6, "id-kp"                          }, /* 266 */
- {              0x01,         268, 0,  7, "serverAuth"                     }, /* 267 */
- {              0x02,         269, 0,  7, "clientAuth"                     }, /* 268 */
- {              0x03,         270, 0,  7, "codeSigning"                    }, /* 269 */
- {              0x04,         271, 0,  7, "emailProtection"                }, /* 270 */
- {              0x05,         272, 0,  7, "ipsecEndSystem"                 }, /* 271 */
- {              0x06,         273, 0,  7, "ipsecTunnel"                    }, /* 272 */
- {              0x07,         274, 0,  7, "ipsecUser"                      }, /* 273 */
- {              0x08,         275, 0,  7, "timeStamping"                   }, /* 274 */
- {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 275 */
- {            0x08,           284, 1,  6, "id-otherNames"                  }, /* 276 */
- {              0x01,         278, 0,  7, "personalData"                   }, /* 277 */
- {              0x02,         279, 0,  7, "userGroup"                      }, /* 278 */
- {              0x03,         280, 0,  7, "id-on-permanentIdentifier"      }, /* 279 */
- {              0x04,         281, 0,  7, "id-on-hardwareModuleName"       }, /* 280 */
- {              0x05,         282, 0,  7, "xmppAddr"                       }, /* 281 */
- {              0x06,         283, 0,  7, "id-on-SIM"                      }, /* 282 */
- {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 283 */
- {            0x0A,           289, 1,  6, "id-aca"                         }, /* 284 */
- {              0x01,         286, 0,  7, "authenticationInfo"             }, /* 285 */
- {              0x02,         287, 0,  7, "accessIdentity"                 }, /* 286 */
- {              0x03,         288, 0,  7, "chargingIdentity"               }, /* 287 */
- {              0x04,           0, 0,  7, "group"                          }, /* 288 */
- {            0x0B,           290, 0,  6, "subjectInfoAccess"              }, /* 289 */
- {            0x30,             0, 1,  6, "id-ad"                          }, /* 290 */
- {              0x01,         299, 1,  7, "ocsp"                           }, /* 291 */
- {                0x01,       293, 0,  8, "basic"                          }, /* 292 */
- {                0x02,       294, 0,  8, "nonce"                          }, /* 293 */
- {                0x03,       295, 0,  8, "crl"                            }, /* 294 */
- {                0x04,       296, 0,  8, "response"                       }, /* 295 */
- {                0x05,       297, 0,  8, "noCheck"                        }, /* 296 */
- {                0x06,       298, 0,  8, "archiveCutoff"                  }, /* 297 */
- {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 298 */
- {              0x02,         300, 0,  7, "caIssuers"                      }, /* 299 */
- {              0x03,         301, 0,  7, "timeStamping"                   }, /* 300 */
- {              0x05,           0, 0,  7, "caRepository"                   }, /* 301 */
- {          0x08,               0, 1,  5, "ipsec"                          }, /* 302 */
- {            0x02,             0, 1,  6, "certificate"                    }, /* 303 */
- {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 304 */
- {  0x0E,                     311, 1,  1, "oiw"                            }, /* 305 */
- {    0x03,                     0, 1,  2, "secsig"                         }, /* 306 */
- {      0x02,                   0, 1,  3, "algorithms"                     }, /* 307 */
- {        0x07,               309, 0,  4, "des-cbc"                        }, /* 308 */
- {        0x1A,               310, 0,  4, "sha-1"                          }, /* 309 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 310 */
- {  0x24,                     357, 1,  1, "TeleTrusT"                      }, /* 311 */
- {    0x03,                     0, 1,  2, "algorithm"                      }, /* 312 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 313 */
- {        0x01,               318, 1,  4, "rsaSignature"                   }, /* 314 */
- {          0x02,             316, 0,  5, "rsaSigWithripemd160"            }, /* 315 */
- {          0x03,             317, 0,  5, "rsaSigWithripemd128"            }, /* 316 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 317 */
- {        0x02,                 0, 1,  4, "ecSign"                         }, /* 318 */
- {          0x01,             320, 0,  5, "ecSignWithsha1"                 }, /* 319 */
- {          0x02,             321, 0,  5, "ecSignWithripemd160"            }, /* 320 */
- {          0x03,             322, 0,  5, "ecSignWithmd2"                  }, /* 321 */
- {          0x04,             323, 0,  5, "ecSignWithmd5"                  }, /* 322 */
- {          0x05,             340, 1,  5, "ttt-ecg"                        }, /* 323 */
- {            0x01,           328, 1,  6, "fieldType"                      }, /* 324 */
- {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 325 */
- {                0x01,         0, 1,  8, "basisType"                      }, /* 326 */
- {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 327 */
- {            0x02,           330, 1,  6, "keyType"                        }, /* 328 */
- {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 329 */
- {            0x03,           331, 0,  6, "curve"                          }, /* 330 */
- {            0x04,           338, 1,  6, "signatures"                     }, /* 331 */
- {              0x01,         333, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 332 */
- {              0x02,         334, 0,  7, "ecgdsa-with-SHA1"               }, /* 333 */
- {              0x03,         335, 0,  7, "ecgdsa-with-SHA224"             }, /* 334 */
- {              0x04,         336, 0,  7, "ecgdsa-with-SHA256"             }, /* 335 */
- {              0x05,         337, 0,  7, "ecgdsa-with-SHA384"             }, /* 336 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 337 */
- {            0x05,             0, 1,  6, "module"                         }, /* 338 */
- {              0x01,           0, 0,  7, "1"                              }, /* 339 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 340 */
- {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 341 */
- {              0x01,           0, 1,  7, "versionOne"                     }, /* 342 */
- {                0x01,       344, 0,  8, "brainpoolP160r1"                }, /* 343 */
- {                0x02,       345, 0,  8, "brainpoolP160t1"                }, /* 344 */
- {                0x03,       346, 0,  8, "brainpoolP192r1"                }, /* 345 */
- {                0x04,       347, 0,  8, "brainpoolP192t1"                }, /* 346 */
- {                0x05,       348, 0,  8, "brainpoolP224r1"                }, /* 347 */
- {                0x06,       349, 0,  8, "brainpoolP224t1"                }, /* 348 */
- {                0x07,       350, 0,  8, "brainpoolP256r1"                }, /* 349 */
- {                0x08,       351, 0,  8, "brainpoolP256t1"                }, /* 350 */
- {                0x09,       352, 0,  8, "brainpoolP320r1"                }, /* 351 */
- {                0x0A,       353, 0,  8, "brainpoolP320t1"                }, /* 352 */
- {                0x0B,       354, 0,  8, "brainpoolP384r1"                }, /* 353 */
- {                0x0C,       355, 0,  8, "brainpoolP384t1"                }, /* 354 */
- {                0x0D,       356, 0,  8, "brainpoolP512r1"                }, /* 355 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 356 */
- {  0x81,                       0, 1,  1, ""                               }, /* 357 */
- {    0x04,                     0, 1,  2, "Certicom"                       }, /* 358 */
- {      0x00,                   0, 1,  3, "curve"                          }, /* 359 */
- {        0x01,               361, 0,  4, "sect163k1"                      }, /* 360 */
- {        0x02,               362, 0,  4, "sect163r1"                      }, /* 361 */
- {        0x03,               363, 0,  4, "sect239k1"                      }, /* 362 */
- {        0x04,               364, 0,  4, "sect113r1"                      }, /* 363 */
- {        0x05,               365, 0,  4, "sect113r2"                      }, /* 364 */
- {        0x06,               366, 0,  4, "secp112r1"                      }, /* 365 */
- {        0x07,               367, 0,  4, "secp112r2"                      }, /* 366 */
- {        0x08,               368, 0,  4, "secp160r1"                      }, /* 367 */
- {        0x09,               369, 0,  4, "secp160k1"                      }, /* 368 */
- {        0x0A,               370, 0,  4, "secp256k1"                      }, /* 369 */
- {        0x0F,               371, 0,  4, "sect163r2"                      }, /* 370 */
- {        0x10,               372, 0,  4, "sect283k1"                      }, /* 371 */
- {        0x11,               373, 0,  4, "sect283r1"                      }, /* 372 */
- {        0x16,               374, 0,  4, "sect131r1"                      }, /* 373 */
- {        0x17,               375, 0,  4, "sect131r2"                      }, /* 374 */
- {        0x18,               376, 0,  4, "sect193r1"                      }, /* 375 */
- {        0x19,               377, 0,  4, "sect193r2"                      }, /* 376 */
- {        0x1A,               378, 0,  4, "sect233k1"                      }, /* 377 */
- {        0x1B,               379, 0,  4, "sect233r1"                      }, /* 378 */
- {        0x1C,               380, 0,  4, "secp128r1"                      }, /* 379 */
- {        0x1D,               381, 0,  4, "secp128r2"                      }, /* 380 */
- {        0x1E,               382, 0,  4, "secp160r2"                      }, /* 381 */
- {        0x1F,               383, 0,  4, "secp192k1"                      }, /* 382 */
- {        0x20,               384, 0,  4, "secp224k1"                      }, /* 383 */
- {        0x21,               385, 0,  4, "secp224r1"                      }, /* 384 */
- {        0x22,               386, 0,  4, "secp384r1"                      }, /* 385 */
- {        0x23,               387, 0,  4, "secp521r1"                      }, /* 386 */
- {        0x24,               388, 0,  4, "sect409k1"                      }, /* 387 */
- {        0x25,               389, 0,  4, "sect409r1"                      }, /* 388 */
- {        0x26,               390, 0,  4, "sect571k1"                      }, /* 389 */
- {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 390 */
- {0x60,                       445, 1,  0, ""                               }, /* 391 */
- {  0x86,                       0, 1,  1, ""                               }, /* 392 */
- {    0x48,                     0, 1,  2, ""                               }, /* 393 */
- {      0x01,                   0, 1,  3, "organization"                   }, /* 394 */
- {        0x65,               421, 1,  4, "gov"                            }, /* 395 */
- {          0x03,               0, 1,  5, "csor"                           }, /* 396 */
- {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 397 */
- {              0x01,         408, 1,  7, "aes"                            }, /* 398 */
- {                0x02,       400, 0,  8, "id-aes128-CBC"                  }, /* 399 */
- {                0x06,       401, 0,  8, "id-aes128-GCM"                  }, /* 400 */
- {                0x07,       402, 0,  8, "id-aes128-CCM"                  }, /* 401 */
- {                0x16,       403, 0,  8, "id-aes192-CBC"                  }, /* 402 */
- {                0x1A,       404, 0,  8, "id-aes192-GCM"                  }, /* 403 */
- {                0x1B,       405, 0,  8, "id-aes192-CCM"                  }, /* 404 */
- {                0x2A,       406, 0,  8, "id-aes256-CBC"                  }, /* 405 */
- {                0x2E,       407, 0,  8, "id-aes256-GCM"                  }, /* 406 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 407 */
- {              0x02,           0, 1,  7, "hashalgs"                       }, /* 408 */
- {                0x01,       410, 0,  8, "id-sha256"                      }, /* 409 */
- {                0x02,       411, 0,  8, "id-sha384"                      }, /* 410 */
- {                0x03,       412, 0,  8, "id-sha512"                      }, /* 411 */
- {                0x04,       413, 0,  8, "id-sha224"                      }, /* 412 */
- {                0x05,       414, 0,  8, "id-sha512-224"                  }, /* 413 */
- {                0x06,       415, 0,  8, "id-sha512-256"                  }, /* 414 */
- {                0x07,       416, 0,  8, "id-sha3-224"                    }, /* 415 */
- {                0x08,       417, 0,  8, "id-sha3-256"                    }, /* 416 */
- {                0x09,       418, 0,  8, "id-sha3-384"                    }, /* 417 */
- {                0x0A,       419, 0,  8, "id-sha3-512"                    }, /* 418 */
- {                0x0B,       420, 0,  8, "id-shake128"                    }, /* 419 */
- {                0x0C,         0, 0,  8, "id-shake256"                    }, /* 420 */
- {        0x86,                 0, 1,  4, ""                               }, /* 421 */
- {          0xf8,               0, 1,  5, ""                               }, /* 422 */
- {            0x42,           435, 1,  6, "netscape"                       }, /* 423 */
- {              0x01,         430, 1,  7, ""                               }, /* 424 */
- {                0x01,       426, 0,  8, "nsCertType"                     }, /* 425 */
- {                0x03,       427, 0,  8, "nsRevocationUrl"                }, /* 426 */
- {                0x04,       428, 0,  8, "nsCaRevocationUrl"              }, /* 427 */
- {                0x08,       429, 0,  8, "nsCaPolicyUrl"                  }, /* 428 */
- {                0x0d,         0, 0,  8, "nsComment"                      }, /* 429 */
- {              0x03,         433, 1,  7, "directory"                      }, /* 430 */
- {                0x01,         0, 1,  8, ""                               }, /* 431 */
- {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 432 */
- {              0x04,           0, 1,  7, "policy"                         }, /* 433 */
- {                0x01,         0, 0,  8, "nsSGC"                          }, /* 434 */
- {            0x45,             0, 1,  6, "verisign"                       }, /* 435 */
- {              0x01,           0, 1,  7, "pki"                            }, /* 436 */
- {                0x09,         0, 1,  8, "attributes"                     }, /* 437 */
- {                  0x02,     439, 0,  9, "messageType"                    }, /* 438 */
- {                  0x03,     440, 0,  9, "pkiStatus"                      }, /* 439 */
- {                  0x04,     441, 0,  9, "failInfo"                       }, /* 440 */
- {                  0x05,     442, 0,  9, "senderNonce"                    }, /* 441 */
- {                  0x06,     443, 0,  9, "recipientNonce"                 }, /* 442 */
- {                  0x07,     444, 0,  9, "transID"                        }, /* 443 */
- {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 444 */
- {0x67,                         0, 1,  0, ""                               }, /* 445 */
- {  0x81,                       0, 1,  1, ""                               }, /* 446 */
- {    0x05,                     0, 1,  2, ""                               }, /* 447 */
- {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 448 */
- {        0x01,               450, 0,  4, "tcg-at-tpmManufacturer"         }, /* 449 */
- {        0x02,               451, 0,  4, "tcg-at-tpmModel"                }, /* 450 */
- {        0x03,               452, 0,  4, "tcg-at-tpmVersion"              }, /* 451 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 452 */
+ {                0x01,       210, 0,  8, "strongSwan"                     }, /* 209 */
+ {                0x02,       211, 0,  8, "cps"                            }, /* 210 */
+ {                0x03,       212, 0,  8, "e-voting"                       }, /* 211 */
+ {                0x05,         0, 1,  8, "BLISS"                          }, /* 212 */
+ {                  0x01,     215, 1,  9, "keyType"                        }, /* 213 */
+ {                    0x01,     0, 0, 10, "blissPublicKey"                 }, /* 214 */
+ {                  0x02,     224, 1,  9, "parameters"                     }, /* 215 */
+ {                    0x01,   217, 0, 10, "BLISS-I"                        }, /* 216 */
+ {                    0x02,   218, 0, 10, "BLISS-II"                       }, /* 217 */
+ {                    0x03,   219, 0, 10, "BLISS-III"                      }, /* 218 */
+ {                    0x04,   220, 0, 10, "BLISS-IV"                       }, /* 219 */
+ {                    0x05,   221, 0, 10, "BLISS-B-I"                      }, /* 220 */
+ {                    0x06,   222, 0, 10, "BLISS-B-II"                     }, /* 221 */
+ {                    0x07,   223, 0, 10, "BLISS-B-III"                    }, /* 222 */
+ {                    0x08,     0, 0, 10, "BLISS-B-IV"                     }, /* 223 */
+ {                  0x03,       0, 1,  9, "blissSigType"                   }, /* 224 */
+ {                    0x01,   226, 0, 10, "BLISS-with-SHA512"              }, /* 225 */
+ {                    0x02,   227, 0, 10, "BLISS-with-SHA384"              }, /* 226 */
+ {                    0x03,     0, 0, 10, "BLISS-with-SHA256"              }, /* 227 */
+ {          0x89,             235, 1,  5, ""                               }, /* 228 */
+ {            0x31,             0, 1,  6, ""                               }, /* 229 */
+ {              0x01,           0, 1,  7, ""                               }, /* 230 */
+ {                0x01,         0, 1,  8, ""                               }, /* 231 */
+ {                  0x02,       0, 1,  9, ""                               }, /* 232 */
+ {                    0x02,     0, 1, 10, ""                               }, /* 233 */
+ {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 234 */
+ {          0x97,             239, 1,  5, ""                               }, /* 235 */
+ {            0x55,             0, 1,  6, ""                               }, /* 236 */
+ {              0x01,           0, 1,  7, ""                               }, /* 237 */
+ {                0x02,         0, 0,  8, "blowfish-cbc"                   }, /* 238 */
+ {          0xC1,               0, 1,  5, ""                               }, /* 239 */
+ {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 240 */
+ {              0x01,           0, 1,  7, "eess"                           }, /* 241 */
+ {                0x01,         0, 1,  8, "eess1"                          }, /* 242 */
+ {                  0x01,     247, 1,  9, "eess1-algs"                     }, /* 243 */
+ {                    0x01,   245, 0, 10, "ntru-EESS1v1-SVES"              }, /* 244 */
+ {                    0x02,   246, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 245 */
+ {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 246 */
+ {                  0x02,     277, 1,  9, "eess1-params"                   }, /* 247 */
+ {                    0x01,   249, 0, 10, "ees251ep1"                      }, /* 248 */
+ {                    0x02,   250, 0, 10, "ees347ep1"                      }, /* 249 */
+ {                    0x03,   251, 0, 10, "ees503ep1"                      }, /* 250 */
+ {                    0x07,   252, 0, 10, "ees251sp2"                      }, /* 251 */
+ {                    0x0C,   253, 0, 10, "ees251ep4"                      }, /* 252 */
+ {                    0x0D,   254, 0, 10, "ees251ep5"                      }, /* 253 */
+ {                    0x0E,   255, 0, 10, "ees251sp3"                      }, /* 254 */
+ {                    0x0F,   256, 0, 10, "ees251sp4"                      }, /* 255 */
+ {                    0x10,   257, 0, 10, "ees251sp5"                      }, /* 256 */
+ {                    0x11,   258, 0, 10, "ees251sp6"                      }, /* 257 */
+ {                    0x12,   259, 0, 10, "ees251sp7"                      }, /* 258 */
+ {                    0x13,   260, 0, 10, "ees251sp8"                      }, /* 259 */
+ {                    0x14,   261, 0, 10, "ees251sp9"                      }, /* 260 */
+ {                    0x22,   262, 0, 10, "ees401ep1"                      }, /* 261 */
+ {                    0x23,   263, 0, 10, "ees449ep1"                      }, /* 262 */
+ {                    0x24,   264, 0, 10, "ees677ep1"                      }, /* 263 */
+ {                    0x25,   265, 0, 10, "ees1087ep2"                     }, /* 264 */
+ {                    0x26,   266, 0, 10, "ees541ep1"                      }, /* 265 */
+ {                    0x27,   267, 0, 10, "ees613ep1"                      }, /* 266 */
+ {                    0x28,   268, 0, 10, "ees887ep1"                      }, /* 267 */
+ {                    0x29,   269, 0, 10, "ees1171ep1"                     }, /* 268 */
+ {                    0x2A,   270, 0, 10, "ees659ep1"                      }, /* 269 */
+ {                    0x2B,   271, 0, 10, "ees761ep1"                      }, /* 270 */
+ {                    0x2C,   272, 0, 10, "ees1087ep1"                     }, /* 271 */
+ {                    0x2D,   273, 0, 10, "ees1499ep1"                     }, /* 272 */
+ {                    0x2E,   274, 0, 10, "ees401ep2"                      }, /* 273 */
+ {                    0x2F,   275, 0, 10, "ees439ep1"                      }, /* 274 */
+ {                    0x30,   276, 0, 10, "ees593ep1"                      }, /* 275 */
+ {                    0x31,     0, 0, 10, "ees743ep1"                      }, /* 276 */
+ {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 277 */
+ {      0x05,                   0, 1,  3, "security"                       }, /* 278 */
+ {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 279 */
+ {          0x07,             324, 1,  5, "id-pkix"                        }, /* 280 */
+ {            0x01,           285, 1,  6, "id-pe"                          }, /* 281 */
+ {              0x01,         283, 0,  7, "authorityInfoAccess"            }, /* 282 */
+ {              0x03,         284, 0,  7, "qcStatements"                   }, /* 283 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 284 */
+ {            0x02,           288, 1,  6, "id-qt"                          }, /* 285 */
+ {              0x01,         287, 0,  7, "cps"                            }, /* 286 */
+ {              0x02,           0, 0,  7, "unotice"                        }, /* 287 */
+ {            0x03,           298, 1,  6, "id-kp"                          }, /* 288 */
+ {              0x01,         290, 0,  7, "serverAuth"                     }, /* 289 */
+ {              0x02,         291, 0,  7, "clientAuth"                     }, /* 290 */
+ {              0x03,         292, 0,  7, "codeSigning"                    }, /* 291 */
+ {              0x04,         293, 0,  7, "emailProtection"                }, /* 292 */
+ {              0x05,         294, 0,  7, "ipsecEndSystem"                 }, /* 293 */
+ {              0x06,         295, 0,  7, "ipsecTunnel"                    }, /* 294 */
+ {              0x07,         296, 0,  7, "ipsecUser"                      }, /* 295 */
+ {              0x08,         297, 0,  7, "timeStamping"                   }, /* 296 */
+ {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 297 */
+ {            0x08,           306, 1,  6, "id-otherNames"                  }, /* 298 */
+ {              0x01,         300, 0,  7, "personalData"                   }, /* 299 */
+ {              0x02,         301, 0,  7, "userGroup"                      }, /* 300 */
+ {              0x03,         302, 0,  7, "id-on-permanentIdentifier"      }, /* 301 */
+ {              0x04,         303, 0,  7, "id-on-hardwareModuleName"       }, /* 302 */
+ {              0x05,         304, 0,  7, "xmppAddr"                       }, /* 303 */
+ {              0x06,         305, 0,  7, "id-on-SIM"                      }, /* 304 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 305 */
+ {            0x0A,           311, 1,  6, "id-aca"                         }, /* 306 */
+ {              0x01,         308, 0,  7, "authenticationInfo"             }, /* 307 */
+ {              0x02,         309, 0,  7, "accessIdentity"                 }, /* 308 */
+ {              0x03,         310, 0,  7, "chargingIdentity"               }, /* 309 */
+ {              0x04,           0, 0,  7, "group"                          }, /* 310 */
+ {            0x0B,           312, 0,  6, "subjectInfoAccess"              }, /* 311 */
+ {            0x30,             0, 1,  6, "id-ad"                          }, /* 312 */
+ {              0x01,         321, 1,  7, "ocsp"                           }, /* 313 */
+ {                0x01,       315, 0,  8, "basic"                          }, /* 314 */
+ {                0x02,       316, 0,  8, "nonce"                          }, /* 315 */
+ {                0x03,       317, 0,  8, "crl"                            }, /* 316 */
+ {                0x04,       318, 0,  8, "response"                       }, /* 317 */
+ {                0x05,       319, 0,  8, "noCheck"                        }, /* 318 */
+ {                0x06,       320, 0,  8, "archiveCutoff"                  }, /* 319 */
+ {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 320 */
+ {              0x02,         322, 0,  7, "caIssuers"                      }, /* 321 */
+ {              0x03,         323, 0,  7, "timeStamping"                   }, /* 322 */
+ {              0x05,           0, 0,  7, "caRepository"                   }, /* 323 */
+ {          0x08,               0, 1,  5, "ipsec"                          }, /* 324 */
+ {            0x02,             0, 1,  6, "certificate"                    }, /* 325 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 326 */
+ {  0x0E,                     333, 1,  1, "oiw"                            }, /* 327 */
+ {    0x03,                     0, 1,  2, "secsig"                         }, /* 328 */
+ {      0x02,                   0, 1,  3, "algorithms"                     }, /* 329 */
+ {        0x07,               331, 0,  4, "des-cbc"                        }, /* 330 */
+ {        0x1A,               332, 0,  4, "sha-1"                          }, /* 331 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 332 */
+ {  0x24,                     379, 1,  1, "TeleTrusT"                      }, /* 333 */
+ {    0x03,                     0, 1,  2, "algorithm"                      }, /* 334 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 335 */
+ {        0x01,               340, 1,  4, "rsaSignature"                   }, /* 336 */
+ {          0x02,             338, 0,  5, "rsaSigWithripemd160"            }, /* 337 */
+ {          0x03,             339, 0,  5, "rsaSigWithripemd128"            }, /* 338 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 339 */
+ {        0x02,                 0, 1,  4, "ecSign"                         }, /* 340 */
+ {          0x01,             342, 0,  5, "ecSignWithsha1"                 }, /* 341 */
+ {          0x02,             343, 0,  5, "ecSignWithripemd160"            }, /* 342 */
+ {          0x03,             344, 0,  5, "ecSignWithmd2"                  }, /* 343 */
+ {          0x04,             345, 0,  5, "ecSignWithmd5"                  }, /* 344 */
+ {          0x05,             362, 1,  5, "ttt-ecg"                        }, /* 345 */
+ {            0x01,           350, 1,  6, "fieldType"                      }, /* 346 */
+ {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 347 */
+ {                0x01,         0, 1,  8, "basisType"                      }, /* 348 */
+ {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 349 */
+ {            0x02,           352, 1,  6, "keyType"                        }, /* 350 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 351 */
+ {            0x03,           353, 0,  6, "curve"                          }, /* 352 */
+ {            0x04,           360, 1,  6, "signatures"                     }, /* 353 */
+ {              0x01,         355, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 354 */
+ {              0x02,         356, 0,  7, "ecgdsa-with-SHA1"               }, /* 355 */
+ {              0x03,         357, 0,  7, "ecgdsa-with-SHA224"             }, /* 356 */
+ {              0x04,         358, 0,  7, "ecgdsa-with-SHA256"             }, /* 357 */
+ {              0x05,         359, 0,  7, "ecgdsa-with-SHA384"             }, /* 358 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 359 */
+ {            0x05,             0, 1,  6, "module"                         }, /* 360 */
+ {              0x01,           0, 0,  7, "1"                              }, /* 361 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 362 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 363 */
+ {              0x01,           0, 1,  7, "versionOne"                     }, /* 364 */
+ {                0x01,       366, 0,  8, "brainpoolP160r1"                }, /* 365 */
+ {                0x02,       367, 0,  8, "brainpoolP160t1"                }, /* 366 */
+ {                0x03,       368, 0,  8, "brainpoolP192r1"                }, /* 367 */
+ {                0x04,       369, 0,  8, "brainpoolP192t1"                }, /* 368 */
+ {                0x05,       370, 0,  8, "brainpoolP224r1"                }, /* 369 */
+ {                0x06,       371, 0,  8, "brainpoolP224t1"                }, /* 370 */
+ {                0x07,       372, 0,  8, "brainpoolP256r1"                }, /* 371 */
+ {                0x08,       373, 0,  8, "brainpoolP256t1"                }, /* 372 */
+ {                0x09,       374, 0,  8, "brainpoolP320r1"                }, /* 373 */
+ {                0x0A,       375, 0,  8, "brainpoolP320t1"                }, /* 374 */
+ {                0x0B,       376, 0,  8, "brainpoolP384r1"                }, /* 375 */
+ {                0x0C,       377, 0,  8, "brainpoolP384t1"                }, /* 376 */
+ {                0x0D,       378, 0,  8, "brainpoolP512r1"                }, /* 377 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 378 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 379 */
+ {    0x04,                     0, 1,  2, "Certicom"                       }, /* 380 */
+ {      0x00,                   0, 1,  3, "curve"                          }, /* 381 */
+ {        0x01,               383, 0,  4, "sect163k1"                      }, /* 382 */
+ {        0x02,               384, 0,  4, "sect163r1"                      }, /* 383 */
+ {        0x03,               385, 0,  4, "sect239k1"                      }, /* 384 */
+ {        0x04,               386, 0,  4, "sect113r1"                      }, /* 385 */
+ {        0x05,               387, 0,  4, "sect113r2"                      }, /* 386 */
+ {        0x06,               388, 0,  4, "secp112r1"                      }, /* 387 */
+ {        0x07,               389, 0,  4, "secp112r2"                      }, /* 388 */
+ {        0x08,               390, 0,  4, "secp160r1"                      }, /* 389 */
+ {        0x09,               391, 0,  4, "secp160k1"                      }, /* 390 */
+ {        0x0A,               392, 0,  4, "secp256k1"                      }, /* 391 */
+ {        0x0F,               393, 0,  4, "sect163r2"                      }, /* 392 */
+ {        0x10,               394, 0,  4, "sect283k1"                      }, /* 393 */
+ {        0x11,               395, 0,  4, "sect283r1"                      }, /* 394 */
+ {        0x16,               396, 0,  4, "sect131r1"                      }, /* 395 */
+ {        0x17,               397, 0,  4, "sect131r2"                      }, /* 396 */
+ {        0x18,               398, 0,  4, "sect193r1"                      }, /* 397 */
+ {        0x19,               399, 0,  4, "sect193r2"                      }, /* 398 */
+ {        0x1A,               400, 0,  4, "sect233k1"                      }, /* 399 */
+ {        0x1B,               401, 0,  4, "sect233r1"                      }, /* 400 */
+ {        0x1C,               402, 0,  4, "secp128r1"                      }, /* 401 */
+ {        0x1D,               403, 0,  4, "secp128r2"                      }, /* 402 */
+ {        0x1E,               404, 0,  4, "secp160r2"                      }, /* 403 */
+ {        0x1F,               405, 0,  4, "secp192k1"                      }, /* 404 */
+ {        0x20,               406, 0,  4, "secp224k1"                      }, /* 405 */
+ {        0x21,               407, 0,  4, "secp224r1"                      }, /* 406 */
+ {        0x22,               408, 0,  4, "secp384r1"                      }, /* 407 */
+ {        0x23,               409, 0,  4, "secp521r1"                      }, /* 408 */
+ {        0x24,               410, 0,  4, "sect409k1"                      }, /* 409 */
+ {        0x25,               411, 0,  4, "sect409r1"                      }, /* 410 */
+ {        0x26,               412, 0,  4, "sect571k1"                      }, /* 411 */
+ {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 412 */
+ {0x60,                       467, 1,  0, ""                               }, /* 413 */
+ {  0x86,                       0, 1,  1, ""                               }, /* 414 */
+ {    0x48,                     0, 1,  2, ""                               }, /* 415 */
+ {      0x01,                   0, 1,  3, "organization"                   }, /* 416 */
+ {        0x65,               443, 1,  4, "gov"                            }, /* 417 */
+ {          0x03,               0, 1,  5, "csor"                           }, /* 418 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 419 */
+ {              0x01,         430, 1,  7, "aes"                            }, /* 420 */
+ {                0x02,       422, 0,  8, "id-aes128-CBC"                  }, /* 421 */
+ {                0x06,       423, 0,  8, "id-aes128-GCM"                  }, /* 422 */
+ {                0x07,       424, 0,  8, "id-aes128-CCM"                  }, /* 423 */
+ {                0x16,       425, 0,  8, "id-aes192-CBC"                  }, /* 424 */
+ {                0x1A,       426, 0,  8, "id-aes192-GCM"                  }, /* 425 */
+ {                0x1B,       427, 0,  8, "id-aes192-CCM"                  }, /* 426 */
+ {                0x2A,       428, 0,  8, "id-aes256-CBC"                  }, /* 427 */
+ {                0x2E,       429, 0,  8, "id-aes256-GCM"                  }, /* 428 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 429 */
+ {              0x02,           0, 1,  7, "hashalgs"                       }, /* 430 */
+ {                0x01,       432, 0,  8, "id-sha256"                      }, /* 431 */
+ {                0x02,       433, 0,  8, "id-sha384"                      }, /* 432 */
+ {                0x03,       434, 0,  8, "id-sha512"                      }, /* 433 */
+ {                0x04,       435, 0,  8, "id-sha224"                      }, /* 434 */
+ {                0x05,       436, 0,  8, "id-sha512-224"                  }, /* 435 */
+ {                0x06,       437, 0,  8, "id-sha512-256"                  }, /* 436 */
+ {                0x07,       438, 0,  8, "id-sha3-224"                    }, /* 437 */
+ {                0x08,       439, 0,  8, "id-sha3-256"                    }, /* 438 */
+ {                0x09,       440, 0,  8, "id-sha3-384"                    }, /* 439 */
+ {                0x0A,       441, 0,  8, "id-sha3-512"                    }, /* 440 */
+ {                0x0B,       442, 0,  8, "id-shake128"                    }, /* 441 */
+ {                0x0C,         0, 0,  8, "id-shake256"                    }, /* 442 */
+ {        0x86,                 0, 1,  4, ""                               }, /* 443 */
+ {          0xf8,               0, 1,  5, ""                               }, /* 444 */
+ {            0x42,           457, 1,  6, "netscape"                       }, /* 445 */
+ {              0x01,         452, 1,  7, ""                               }, /* 446 */
+ {                0x01,       448, 0,  8, "nsCertType"                     }, /* 447 */
+ {                0x03,       449, 0,  8, "nsRevocationUrl"                }, /* 448 */
+ {                0x04,       450, 0,  8, "nsCaRevocationUrl"              }, /* 449 */
+ {                0x08,       451, 0,  8, "nsCaPolicyUrl"                  }, /* 450 */
+ {                0x0d,         0, 0,  8, "nsComment"                      }, /* 451 */
+ {              0x03,         455, 1,  7, "directory"                      }, /* 452 */
+ {                0x01,         0, 1,  8, ""                               }, /* 453 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 454 */
+ {              0x04,           0, 1,  7, "policy"                         }, /* 455 */
+ {                0x01,         0, 0,  8, "nsSGC"                          }, /* 456 */
+ {            0x45,             0, 1,  6, "verisign"                       }, /* 457 */
+ {              0x01,           0, 1,  7, "pki"                            }, /* 458 */
+ {                0x09,         0, 1,  8, "attributes"                     }, /* 459 */
+ {                  0x02,     461, 0,  9, "messageType"                    }, /* 460 */
+ {                  0x03,     462, 0,  9, "pkiStatus"                      }, /* 461 */
+ {                  0x04,     463, 0,  9, "failInfo"                       }, /* 462 */
+ {                  0x05,     464, 0,  9, "senderNonce"                    }, /* 463 */
+ {                  0x06,     465, 0,  9, "recipientNonce"                 }, /* 464 */
+ {                  0x07,     466, 0,  9, "transID"                        }, /* 465 */
+ {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 466 */
+ {0x67,                         0, 1,  0, ""                               }, /* 467 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 468 */
+ {    0x05,                     0, 1,  2, ""                               }, /* 469 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 470 */
+ {        0x01,               472, 0,  4, "tcg-at-tpmManufacturer"         }, /* 471 */
+ {        0x02,               473, 0,  4, "tcg-at-tpmModel"                }, /* 472 */
+ {        0x03,               474, 0,  4, "tcg-at-tpmVersion"              }, /* 473 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 474 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 0933f236a..0f7c5d644 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -141,99 +141,112 @@ extern const oid_t oid_names[];
 #define OID_MS_SMARTCARD_LOGON				202
 #define OID_USER_PRINCIPAL_NAME				203
 #define OID_STRONGSWAN						209
-#define OID_TCGID							216
-#define OID_AUTHORITY_INFO_ACCESS			260
-#define OID_IP_ADDR_BLOCKS					262
-#define OID_POLICY_QUALIFIER_CPS			264
-#define OID_POLICY_QUALIFIER_UNOTICE		265
-#define OID_SERVER_AUTH						267
-#define OID_CLIENT_AUTH						268
-#define OID_OCSP_SIGNING					275
-#define OID_XMPP_ADDR						281
-#define OID_AUTHENTICATION_INFO				285
-#define OID_ACCESS_IDENTITY					286
-#define OID_CHARGING_IDENTITY				287
-#define OID_GROUP							288
-#define OID_OCSP							291
-#define OID_BASIC							292
-#define OID_NONCE							293
-#define OID_CRL								294
-#define OID_RESPONSE						295
-#define OID_NO_CHECK						296
-#define OID_ARCHIVE_CUTOFF					297
-#define OID_SERVICE_LOCATOR					298
-#define OID_CA_ISSUERS						299
-#define OID_IKE_INTERMEDIATE				304
-#define OID_DES_CBC							308
-#define OID_SHA1							309
-#define OID_SHA1_WITH_RSA_OIW				310
-#define OID_ECGDSA_PUBKEY					329
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		332
-#define OID_ECGDSA_SIG_WITH_SHA1			333
-#define OID_ECGDSA_SIG_WITH_SHA224			334
-#define OID_ECGDSA_SIG_WITH_SHA256			335
-#define OID_ECGDSA_SIG_WITH_SHA384			336
-#define OID_ECGDSA_SIG_WITH_SHA512			337
-#define OID_SECT163K1						360
-#define OID_SECT163R1						361
-#define OID_SECT239K1						362
-#define OID_SECT113R1						363
-#define OID_SECT113R2						364
-#define OID_SECT112R1						365
-#define OID_SECT112R2						366
-#define OID_SECT160R1						367
-#define OID_SECT160K1						368
-#define OID_SECT256K1						369
-#define OID_SECT163R2						370
-#define OID_SECT283K1						371
-#define OID_SECT283R1						372
-#define OID_SECT131R1						373
-#define OID_SECT131R2						374
-#define OID_SECT193R1						375
-#define OID_SECT193R2						376
-#define OID_SECT233K1						377
-#define OID_SECT233R1						378
-#define OID_SECT128R1						379
-#define OID_SECT128R2						380
-#define OID_SECT160R2						381
-#define OID_SECT192K1						382
-#define OID_SECT224K1						383
-#define OID_SECT224R1						384
-#define OID_SECT384R1						385
-#define OID_SECT521R1						386
-#define OID_SECT409K1						387
-#define OID_SECT409R1						388
-#define OID_SECT571K1						389
-#define OID_SECT571R1						390
-#define OID_AES128_CBC						399
-#define OID_AES128_GCM						400
-#define OID_AES128_CCM						401
-#define OID_AES192_CBC						402
-#define OID_AES192_GCM						403
-#define OID_AES192_CCM						404
-#define OID_AES256_CBC						405
-#define OID_AES256_GCM						406
-#define OID_AES256_CCM						407
-#define OID_SHA256							409
-#define OID_SHA384							410
-#define OID_SHA512							411
-#define OID_SHA224							412
-#define OID_NS_REVOCATION_URL				426
-#define OID_NS_CA_REVOCATION_URL			427
-#define OID_NS_CA_POLICY_URL				428
-#define OID_NS_COMMENT						429
-#define OID_EMPLOYEE_NUMBER					432
-#define OID_PKI_MESSAGE_TYPE				438
-#define OID_PKI_STATUS						439
-#define OID_PKI_FAIL_INFO					440
-#define OID_PKI_SENDER_NONCE				441
-#define OID_PKI_RECIPIENT_NONCE				442
-#define OID_PKI_TRANS_ID					443
-#define OID_TPM_MANUFACTURER				449
-#define OID_TPM_MODEL						450
-#define OID_TPM_VERSION						451
-#define OID_TPM_ID_LABEL					452
+#define OID_BLISS_PUBLICKEY					214
+#define OID_BLISS_I							216
+#define OID_BLISS_II						217
+#define OID_BLISS_III						218
+#define OID_BLISS_IV						219
+#define OID_BLISS_B_I						220
+#define OID_BLISS_B_II						221
+#define OID_BLISS_B_III						222
+#define OID_BLISS_B_IV						223
+#define OID_BLISS_WITH_SHA512				225
+#define OID_BLISS_WITH_SHA384				226
+#define OID_BLISS_WITH_SHA256				227
+#define OID_TCGID							234
+#define OID_BLOWFISH_CBC					238
+#define OID_AUTHORITY_INFO_ACCESS			282
+#define OID_IP_ADDR_BLOCKS					284
+#define OID_POLICY_QUALIFIER_CPS			286
+#define OID_POLICY_QUALIFIER_UNOTICE		287
+#define OID_SERVER_AUTH						289
+#define OID_CLIENT_AUTH						290
+#define OID_OCSP_SIGNING					297
+#define OID_XMPP_ADDR						303
+#define OID_AUTHENTICATION_INFO				307
+#define OID_ACCESS_IDENTITY					308
+#define OID_CHARGING_IDENTITY				309
+#define OID_GROUP							310
+#define OID_OCSP							313
+#define OID_BASIC							314
+#define OID_NONCE							315
+#define OID_CRL								316
+#define OID_RESPONSE						317
+#define OID_NO_CHECK						318
+#define OID_ARCHIVE_CUTOFF					319
+#define OID_SERVICE_LOCATOR					320
+#define OID_CA_ISSUERS						321
+#define OID_IKE_INTERMEDIATE				326
+#define OID_DES_CBC							330
+#define OID_SHA1							331
+#define OID_SHA1_WITH_RSA_OIW				332
+#define OID_ECGDSA_PUBKEY					351
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		354
+#define OID_ECGDSA_SIG_WITH_SHA1			355
+#define OID_ECGDSA_SIG_WITH_SHA224			356
+#define OID_ECGDSA_SIG_WITH_SHA256			357
+#define OID_ECGDSA_SIG_WITH_SHA384			358
+#define OID_ECGDSA_SIG_WITH_SHA512			359
+#define OID_SECT163K1						382
+#define OID_SECT163R1						383
+#define OID_SECT239K1						384
+#define OID_SECT113R1						385
+#define OID_SECT113R2						386
+#define OID_SECT112R1						387
+#define OID_SECT112R2						388
+#define OID_SECT160R1						389
+#define OID_SECT160K1						390
+#define OID_SECT256K1						391
+#define OID_SECT163R2						392
+#define OID_SECT283K1						393
+#define OID_SECT283R1						394
+#define OID_SECT131R1						395
+#define OID_SECT131R2						396
+#define OID_SECT193R1						397
+#define OID_SECT193R2						398
+#define OID_SECT233K1						399
+#define OID_SECT233R1						400
+#define OID_SECT128R1						401
+#define OID_SECT128R2						402
+#define OID_SECT160R2						403
+#define OID_SECT192K1						404
+#define OID_SECT224K1						405
+#define OID_SECT224R1						406
+#define OID_SECT384R1						407
+#define OID_SECT521R1						408
+#define OID_SECT409K1						409
+#define OID_SECT409R1						410
+#define OID_SECT571K1						411
+#define OID_SECT571R1						412
+#define OID_AES128_CBC						421
+#define OID_AES128_GCM						422
+#define OID_AES128_CCM						423
+#define OID_AES192_CBC						424
+#define OID_AES192_GCM						425
+#define OID_AES192_CCM						426
+#define OID_AES256_CBC						427
+#define OID_AES256_GCM						428
+#define OID_AES256_CCM						429
+#define OID_SHA256							431
+#define OID_SHA384							432
+#define OID_SHA512							433
+#define OID_SHA224							434
+#define OID_NS_REVOCATION_URL				448
+#define OID_NS_CA_REVOCATION_URL			449
+#define OID_NS_CA_POLICY_URL				450
+#define OID_NS_COMMENT						451
+#define OID_EMPLOYEE_NUMBER					454
+#define OID_PKI_MESSAGE_TYPE				460
+#define OID_PKI_STATUS						461
+#define OID_PKI_FAIL_INFO					462
+#define OID_PKI_SENDER_NONCE				463
+#define OID_PKI_RECIPIENT_NONCE				464
+#define OID_PKI_TRANS_ID					465
+#define OID_TPM_MANUFACTURER				471
+#define OID_TPM_MODEL						472
+#define OID_TPM_VERSION						473
+#define OID_TPM_ID_LABEL					474
 
-#define OID_MAX								453
+#define OID_MAX								475
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index e545188d4..919d24c43 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -208,6 +208,24 @@
             0xA0             ""
               0x2A           "ITA"
                 0x01         "strongSwan"				OID_STRONGSWAN
+                0x02         "cps"
+                0x03         "e-voting"
+                0x05         "BLISS"
+                  0x01       "keyType"
+                    0x01     "blissPublicKey"			OID_BLISS_PUBLICKEY
+                  0x02       "parameters"
+                    0x01     "BLISS-I"					OID_BLISS_I
+                    0x02     "BLISS-II"					OID_BLISS_II
+                    0x03     "BLISS-III"				OID_BLISS_III
+                    0x04     "BLISS-IV"					OID_BLISS_IV
+                    0x05     "BLISS-B-I"				OID_BLISS_B_I
+                    0x06     "BLISS-B-II"				OID_BLISS_B_II
+                    0x07     "BLISS-B-III"				OID_BLISS_B_III
+                    0x08     "BLISS-B-IV"				OID_BLISS_B_IV
+                  0x03       "blissSigType"
+                    0x01     "BLISS-with-SHA512"		OID_BLISS_WITH_SHA512
+                    0x02     "BLISS-with-SHA384"		OID_BLISS_WITH_SHA384
+                    0x03     "BLISS-with-SHA256"		OID_BLISS_WITH_SHA256
           0x89               ""
             0x31             ""
               0x01           ""
@@ -215,6 +233,10 @@
                   0x02       ""
                     0x02     ""
                       0x4B   "TCGID"					OID_TCGID
+          0x97               ""
+            0x55             ""
+              0x01           ""
+                0x02         "blowfish-cbc"				OID_BLOWFISH_CBC
           0xC1               ""
             0x16             "ntruCryptosystems"
               0x01           "eess"
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index db08c6b96..0ca45a15b 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -49,6 +49,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
 	"RULE_GROUP",
 	"RULE_RSA_STRENGTH",
 	"RULE_ECDSA_STRENGTH",
+	"RULE_BLISS_STRENGTH",
 	"RULE_SIGNATURE_SCHEME",
 	"RULE_CERT_POLICY",
 	"HELPER_IM_CERT",
@@ -71,6 +72,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_EAP_VENDOR:
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
+		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_IDENTITY_LOOSE:
 		case AUTH_RULE_EAP_IDENTITY:
@@ -207,6 +209,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 		case AUTH_RULE_OCSP_VALIDATION:
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
+		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
 			/* integer type */
 			this->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -255,6 +258,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 		case AUTH_RULE_OCSP_VALIDATION:
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
+		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
 		{
 			return e1->value == e2->value;
@@ -345,6 +349,7 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_OCSP_VALIDATION:
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
+		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
 		case AUTH_RULE_MAX:
 			break;
@@ -376,6 +381,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_OCSP_VALIDATION:
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
+			case AUTH_RULE_BLISS_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
 				/* integer type */
 				entry->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -450,6 +456,7 @@ METHOD(auth_cfg_t, get, void*,
 		case AUTH_RULE_EAP_VENDOR:
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
+		case AUTH_RULE_BLISS_STRENGTH:
 			return (void*)0;
 		case AUTH_RULE_SIGNATURE_SCHEME:
 			return (void*)HASH_UNKNOWN;
@@ -513,6 +520,7 @@ METHOD(auth_cfg_t, complies, bool,
 	signature_scheme_t scheme = SIGN_UNKNOWN;
 	u_int strength = 0;
 	auth_rule_t t1, t2;
+	char *key_type;
 	void *value;
 
 	e1 = constraints->create_enumerator(constraints);
@@ -703,6 +711,7 @@ METHOD(auth_cfg_t, complies, bool,
 			}
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
+			case AUTH_RULE_BLISS_STRENGTH:
 			{
 				strength = (uintptr_t)value;
 				break;
@@ -797,30 +806,39 @@ METHOD(auth_cfg_t, complies, bool,
 		e2 = create_enumerator(this);
 		while (e2->enumerate(e2, &t2, &strength))
 		{
-			if (t2 == AUTH_RULE_RSA_STRENGTH ||
-				t2 == AUTH_RULE_ECDSA_STRENGTH)
+			switch (t2)
 			{
-				success = FALSE;
-				e1 = constraints->create_enumerator(constraints);
-				while (e1->enumerate(e1, &t1, &value))
+				default:
+					continue;
+				case AUTH_RULE_RSA_STRENGTH:
+					key_type = "RSA";
+					break;
+				case AUTH_RULE_ECDSA_STRENGTH:
+					key_type = "ECDSA";
+					break;
+				case AUTH_RULE_BLISS_STRENGTH:
+					key_type = "BLISS";
+					break;
+			}
+			success = FALSE;
+			e1 = constraints->create_enumerator(constraints);
+			while (e1->enumerate(e1, &t1, &value))
+			{
+				if (t1 == t2 && (uintptr_t)value <= strength)
 				{
-					if (t1 == t2 && (uintptr_t)value <= strength)
-					{
-						success = TRUE;
-						break;
-					}
+					success = TRUE;
+					break;
 				}
-				e1->destroy(e1);
-				if (!success)
+			}
+			e1->destroy(e1);
+			if (!success)
+			{
+				if (log_error)
 				{
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "%s-%d signatures not acceptable",
-							 t2 == AUTH_RULE_RSA_STRENGTH ? "RSA" : "ECDSA",
-							 strength);
-					}
-					break;
+					DBG1(DBG_CFG, "%s-%d signatures not acceptable",
+						 key_type, strength);
 				}
+				break;
 			}
 		}
 		e2->destroy(e2);
@@ -891,6 +909,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_EAP_VENDOR:
 				case AUTH_RULE_RSA_STRENGTH:
 				case AUTH_RULE_ECDSA_STRENGTH:
+				case AUTH_RULE_BLISS_STRENGTH:
 				case AUTH_RULE_SIGNATURE_SCHEME:
 				{
 					add(this, type, (uintptr_t)value);
@@ -1060,6 +1079,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_OCSP_VALIDATION:
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
+			case AUTH_RULE_BLISS_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
 				clone->add(clone, type, (uintptr_t)value);
 				break;
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 95b36d706..53f1b3805 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -102,6 +102,8 @@ enum auth_rule_t {
 	AUTH_RULE_RSA_STRENGTH,
 	/** required ECDSA public key strength, u_int in bits */
 	AUTH_RULE_ECDSA_STRENGTH,
+	/** required BLISS public key strength, u_int in bits */
+	AUTH_RULE_BLISS_STRENGTH,
 	/** required signature scheme, signature_scheme_t */
 	AUTH_RULE_SIGNATURE_SCHEME,
 	/** certificatePolicy constraint, numerical OID as char* */
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index a6c9c30af..b4d1f4c3c 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -144,6 +144,10 @@ enum cred_encoding_part_t {
 	CRED_PART_PKCS10_ASN1_DER,
 	/** a PGP encoded certificate */
 	CRED_PART_PGP_CERT,
+	/** a DER encoded BLISS public key */
+	CRED_PART_BLISS_PUB_ASN1_DER,
+	/** a DER encoded BLISS private key */
+	CRED_PART_BLISS_PRIV_ASN1_DER,
 
 	CRED_PART_END,
 };
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index b0c8e48ba..371e6404d 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -698,6 +698,9 @@ static void get_key_strength(certificate_t *cert, auth_cfg_t *auth)
 			case KEY_ECDSA:
 				auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
 				break;
+			case KEY_BLISS:
+				auth->add(auth, AUTH_RULE_BLISS_STRENGTH, strength);
+				break;
 			default:
 				break;
 		}
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 37bba77d1..bd5915e60 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -1,6 +1,8 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,14 +19,15 @@
 
 #include "public_key.h"
 
-ENUM(key_type_names, KEY_ANY, KEY_DSA,
+ENUM(key_type_names, KEY_ANY, KEY_BLISS,
 	"ANY",
 	"RSA",
 	"ECDSA",
-	"DSA"
+	"DSA",
+	"BLISS"
 );
 
-ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
+ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512,
 	"UNKNOWN",
 	"RSA_EMSA_PKCS1_NULL",
 	"RSA_EMSA_PKCS1_MD5",
@@ -41,6 +44,9 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
 	"ECDSA-256",
 	"ECDSA-384",
 	"ECDSA-521",
+	"BLISS_WITH_SHA256",
+	"BLISS_WITH_SHA384",
+	"BLISS_WITH_SHA512",
 );
 
 ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
@@ -130,8 +136,158 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 			return SIGN_ECDSA_WITH_SHA384_DER;
 		case OID_ECDSA_WITH_SHA512:
 			return SIGN_ECDSA_WITH_SHA512_DER;
-		default:
-			return SIGN_UNKNOWN;
+		case OID_BLISS_PUBLICKEY:
+		case OID_BLISS_WITH_SHA512:
+			return SIGN_BLISS_WITH_SHA512;
+		case OID_BLISS_WITH_SHA256:
+			return SIGN_BLISS_WITH_SHA256;
+		case OID_BLISS_WITH_SHA384:
+			return SIGN_BLISS_WITH_SHA384;
 	}
+	return SIGN_UNKNOWN;
 }
 
+/*
+ * Defined in header.
+ */
+int signature_scheme_to_oid(signature_scheme_t scheme)
+{
+	switch (scheme)
+	{
+		case SIGN_UNKNOWN:
+		case SIGN_RSA_EMSA_PKCS1_NULL:
+		case SIGN_ECDSA_WITH_NULL:
+		case SIGN_ECDSA_256:
+		case SIGN_ECDSA_384:
+		case SIGN_ECDSA_521:
+			break;
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return OID_MD5_WITH_RSA;
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+			return OID_SHA1_WITH_RSA;
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return OID_SHA224_WITH_RSA;
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+			return OID_SHA256_WITH_RSA;
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+			return OID_SHA384_WITH_RSA;
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+			return OID_SHA512_WITH_RSA;
+		case SIGN_ECDSA_WITH_SHA1_DER:
+			return OID_ECDSA_WITH_SHA1;
+		case SIGN_ECDSA_WITH_SHA256_DER:
+			return OID_ECDSA_WITH_SHA256;
+		case SIGN_ECDSA_WITH_SHA384_DER:
+			return OID_ECDSA_WITH_SHA384;
+		case SIGN_ECDSA_WITH_SHA512_DER:
+			return OID_ECDSA_WITH_SHA512;
+		case SIGN_BLISS_WITH_SHA256:
+			return OID_BLISS_WITH_SHA256;
+		case SIGN_BLISS_WITH_SHA384:
+			return OID_BLISS_WITH_SHA384;
+		case SIGN_BLISS_WITH_SHA512:
+			return OID_BLISS_WITH_SHA512;
+	}
+	return OID_UNKNOWN;
+}
+
+/**
+ * Map for signature schemes to the key type and maximum key size allowed.
+ * We only cover schemes with hash algorithms supported by IKEv2 signature
+ * authentication.
+ */
+static struct {
+	signature_scheme_t scheme;
+	key_type_t type;
+	int max_keysize;
+} scheme_map[] = {
+	{ SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA,   3072 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA,   7680 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA,   0 },
+	{ SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
+	{ SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
+	{ SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
+	{ SIGN_BLISS_WITH_SHA256,     KEY_BLISS, 128 },
+	{ SIGN_BLISS_WITH_SHA384,     KEY_BLISS, 192 },
+	{ SIGN_BLISS_WITH_SHA512,     KEY_BLISS, 0 },
+};
+
+/**
+ * Private data for signature scheme enumerator
+ */
+typedef struct  {
+	enumerator_t public;
+	int index;
+	key_type_t type;
+	int size;
+} private_enumerator_t;
+
+METHOD(enumerator_t, signature_schemes_enumerate, bool,
+	private_enumerator_t *this, signature_scheme_t *scheme)
+{
+	while (++this->index < countof(scheme_map))
+	{
+		if (this->type == scheme_map[this->index].type &&
+		   (this->size <= scheme_map[this->index].max_keysize ||
+			!scheme_map[this->index].max_keysize))
+		{
+			*scheme = scheme_map[this->index].scheme;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/*
+ * Defined in header.
+ */
+enumerator_t *signature_schemes_for_key(key_type_t type, int size)
+{
+	private_enumerator_t *this;
+
+	INIT(this,
+		.public = {
+			.enumerate = (void*)_signature_schemes_enumerate,
+			.destroy = (void*)free,
+		},
+		.index = -1,
+		.type = type,
+		.size = size,
+	);
+
+	return &this->public;
+}
+
+/*
+ * Defined in header.
+ */
+key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
+{
+	switch (scheme)
+	{
+		case SIGN_UNKNOWN:
+			break;
+		case SIGN_RSA_EMSA_PKCS1_NULL:
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+			return KEY_RSA;
+		case SIGN_ECDSA_WITH_SHA1_DER:
+		case SIGN_ECDSA_WITH_SHA256_DER:
+		case SIGN_ECDSA_WITH_SHA384_DER:
+		case SIGN_ECDSA_WITH_SHA512_DER:
+		case SIGN_ECDSA_WITH_NULL:
+		case SIGN_ECDSA_256:
+		case SIGN_ECDSA_384:
+		case SIGN_ECDSA_521:
+			return KEY_ECDSA;
+		case SIGN_BLISS_WITH_SHA256:
+		case SIGN_BLISS_WITH_SHA384:
+		case SIGN_BLISS_WITH_SHA512:
+			return KEY_BLISS;
+	}
+	return KEY_ANY;
+}
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 2afcf8325..66e98b294 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -1,6 +1,8 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -42,6 +44,8 @@ enum key_type_t {
 	KEY_ECDSA = 2,
 	/** DSA */
 	KEY_DSA   = 3,
+	/** BLISS */
+	KEY_BLISS = 4,
 	/** ElGamal, ... */
 };
 
@@ -90,6 +94,12 @@ enum signature_scheme_t {
 	SIGN_ECDSA_384,
 	/** ECDSA on the P-521 curve with SHA-512 as in RFC 4754           */
 	SIGN_ECDSA_521,
+	/** BLISS with SHA-256                                             */
+	SIGN_BLISS_WITH_SHA256,
+	/** BLISS with SHA-384                                             */
+	SIGN_BLISS_WITH_SHA384,
+	/** BLISS with SHA-512                                             */
+	SIGN_BLISS_WITH_SHA512,
 };
 
 /**
@@ -234,8 +244,35 @@ bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint);
  * Conversion of ASN.1 signature or hash OID to signature scheme.
  *
  * @param oid			ASN.1 OID
- * @return				signature_scheme, SIGN_UNKNOWN if OID is unsupported
+ * @return				signature scheme, SIGN_UNKNOWN if OID is unsupported
  */
 signature_scheme_t signature_scheme_from_oid(int oid);
 
+/**
+ * Conversion of signature scheme to ASN.1 signature OID.
+ *
+ * @param scheme		signature scheme
+ * @return				ASN.1 OID, OID_UNKNOWN if not supported
+ */
+int signature_scheme_to_oid(signature_scheme_t scheme);
+
+/**
+ * Enumerate signature schemes that are appropriate for a key of the given type
+ * and size|strength.
+ *
+ * @param type			type of the key
+ * @param size			size or strength of the key
+ * @return				enumerator over signature_scheme_t (increasing strength)
+ */
+enumerator_t *signature_schemes_for_key(key_type_t type, int size);
+
+/**
+ * Determine the type of key associated with a given signature scheme.
+ *
+ * @param scheme		signature scheme
+ * @return				key type (could be KEY_ANY)
+ */
+key_type_t key_type_from_signature_scheme(signature_scheme_t scheme);
+
+
 #endif /** PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 563f4bdd5..60720dc57 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -143,6 +143,7 @@ METHOD(cert_cache_t, issued_by, bool,
 	private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer,
 	signature_scheme_t *schemep)
 {
+	certificate_t *cached_issuer = NULL;
 	relation_t *found = NULL, *current;
 	signature_scheme_t scheme;
 	int i;
@@ -154,39 +155,41 @@ METHOD(cert_cache_t, issued_by, bool,
 		current->lock->read_lock(current->lock);
 		if (current->subject)
 		{
-			/* check for equal issuer */
 			if (issuer->equals(issuer, current->issuer))
 			{
-				/* reuse issuer instance in cache() */
-				issuer = current->issuer;
 				if (subject->equals(subject, current->subject))
 				{
-					/* write hit counter is not locked, but not critical */
 					current->hits++;
-					found = current;;
+					found = current;
 					if (schemep)
 					{
 						*schemep = current->scheme;
 					}
 				}
+				else if (!cached_issuer)
+				{
+					cached_issuer = current->issuer->get_ref(current->issuer);
+				}
 			}
 		}
 		current->lock->unlock(current->lock);
 		if (found)
 		{
+			DESTROY_IF(cached_issuer);
 			return TRUE;
 		}
 	}
-	/* no cache hit, check and cache signature */
 	if (subject->issued_by(subject, issuer, &scheme))
 	{
-		cache(this, subject, issuer, scheme);
+		cache(this, subject, cached_issuer ?: issuer, scheme);
 		if (schemep)
 		{
 			*schemep = scheme;
 		}
+		DESTROY_IF(cached_issuer);
 		return TRUE;
 	}
+	DESTROY_IF(cached_issuer);
 	return FALSE;
 }
 
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index d8f568d36..7ad011b5e 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -192,6 +192,24 @@ METHOD(mem_cred_t, add_cert_ref, certificate_t*,
 	return add_cert_internal(this, trusted, cert);
 }
 
+METHOD(mem_cred_t, get_cert_ref, certificate_t*,
+	private_mem_cred_t *this, certificate_t *cert)
+{
+	certificate_t *cached;
+
+	this->lock->write_lock(this->lock);
+	if (this->untrusted->find_first(this->untrusted,
+									(linked_list_match_t)certificate_equals,
+									(void**)&cached, cert) == SUCCESS)
+	{
+		cert->destroy(cert);
+		cert = cached->get_ref(cached);
+	}
+	this->lock->unlock(this->lock);
+
+	return cert;
+}
+
 METHOD(mem_cred_t, add_crl, bool,
 	private_mem_cred_t *this, crl_t *crl)
 {
@@ -736,6 +754,7 @@ mem_cred_t *mem_cred_create()
 			},
 			.add_cert = _add_cert,
 			.add_cert_ref = _add_cert_ref,
+			.get_cert_ref = _get_cert_ref,
 			.add_crl = _add_crl,
 			.add_key = _add_key,
 			.add_shared = _add_shared,
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index d0dd51da1..3ce815abc 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -59,6 +59,18 @@ struct mem_cred_t {
 								   certificate_t *cert);
 
 	/**
+	 * Get an existing reference to the same certificate.
+	 *
+	 * Searches for the same certficate in the set, and returns a reference
+	 * to it, destroying the passed certificate. If the passed certificate
+	 * is not found, it is just returned.
+	 *
+	 * @param cert			certificate to look up
+	 * @return				the same certificate, potentially different instance
+	 */
+	certificate_t* (*get_cert_ref)(mem_cred_t *this, certificate_t *cert);
+
+	/**
 	 * Add an X.509 CRL to the credential set.
 	 *
 	 * @param crl			CRL, gets owned by set
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index 8123adde5..1e73baa4e 100644
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -96,6 +96,10 @@ encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size)
 			alg = ENCR_CAMELLIA_CBC;
 			alg_key_size = 256;
 			break;
+		case OID_BLOWFISH_CBC:
+			alg = ENCR_BLOWFISH;
+			alg_key_size = 0;
+			break;
 		default:
 			alg = ENCR_UNDEFINED;
 			alg_key_size = 0;
@@ -154,6 +158,9 @@ int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size)
 					oid = OID_UNKNOWN;
 			}
 			break;
+		case ENCR_BLOWFISH:
+			oid = OID_BLOWFISH_CBC;
+			break;
 		default:
 			oid = OID_UNKNOWN;
 	}
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index d09844bfa..15ed17381 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -580,13 +580,22 @@ METHOD(crypto_tester_t, test_signer, bool,
 			break;
 		}
 
+		data = chunk_create(vector->data, vector->len);
 		key = chunk_create(vector->key, signer->get_key_size(signer));
 		if (!signer->set_key(signer, key))
 		{
 			goto failure;
 		}
+		/* do partial append mode and check if key gets set correctly */
+		if (!signer->get_signature(signer, data, NULL))
+		{
+			goto failure;
+		}
+		if (!signer->set_key(signer, key))
+		{
+			goto failure;
+		}
 		/* allocated signature */
-		data = chunk_create(vector->data, vector->len);
 		if (!signer->allocate_signature(signer, data, &mac))
 		{
 			goto failure;
@@ -905,13 +914,25 @@ METHOD(crypto_tester_t, test_prf, bool,
 			break;
 		}
 
+		seed = chunk_create(vector->seed, vector->len);
 		key = chunk_create(vector->key, vector->key_size);
 		if (!prf->set_key(prf, key))
 		{
 			goto failure;
 		}
+		if (alg != PRF_FIPS_SHA1_160)
+		{
+			/* do partial append mode and check if key gets set correctly */
+			if (!prf->get_bytes(prf, seed, NULL))
+			{
+				goto failure;
+			}
+			if (!prf->set_key(prf, key))
+			{
+				goto failure;
+			}
+		}
 		/* allocated bytes */
-		seed = chunk_create(vector->seed, vector->len);
 		if (!prf->allocate_bytes(prf, seed, &out))
 		{
 			goto failure;
@@ -942,7 +963,7 @@ METHOD(crypto_tester_t, test_prf, bool,
 			goto failure;
 		}
 		/* bytes to existing buffer, using append mode */
-		if (seed.len > 2)
+		if (alg != PRF_FIPS_SHA1_160 && seed.len > 2)
 		{
 			memset(out.ptr, 0, out.len);
 			if (vector->stateful)
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 87c9b21f8..0d4cd9109 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
 	"ECP_256_BP",
 	"ECP_384_BP",
 	"ECP_512_BP");
-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP,
-	"MODP_NULL",
-	"MODP_CUSTOM");
-ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM,
+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP,
+	"MODP_NULL");
+ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
 	"NTRU_112",
 	"NTRU_128",
 	"NTRU_192",
 	"NTRU_256");
-ENUM_END(diffie_hellman_group_names, NTRU_256_BIT);
+ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT,
+	"MODP_CUSTOM");
+ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
 
 
 /**
@@ -439,7 +440,7 @@ void diffie_hellman_init()
 {
 	int i;
 
-	if (lib->settings->get_int(lib->settings,
+	if (lib->settings->get_bool(lib->settings,
 					"%s.dh_exponent_ansi_x9_42", TRUE, lib->ns))
 	{
 		for (i = 0; i < countof(dh_params); i++)
@@ -463,7 +464,7 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
 			if (!dh_params[i].public.exp_len)
 			{
 				if (!dh_params[i].public.subgroup.len &&
-					lib->settings->get_int(lib->settings,
+					lib->settings->get_bool(lib->settings,
 									"%s.dh_exponent_ansi_x9_42", TRUE, lib->ns))
 				{
 					dh_params[i].public.exp_len = dh_params[i].public.prime.len;
@@ -500,3 +501,75 @@ bool diffie_hellman_group_is_ec(diffie_hellman_group_t group)
 			return FALSE;
 	}
 }
+
+/**
+ * See header.
+ */
+bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value)
+{
+	diffie_hellman_params_t *params;
+	bool valid = FALSE;
+
+	switch (group)
+	{
+		case MODP_768_BIT:
+		case MODP_1024_BIT:
+		case MODP_1536_BIT:
+		case MODP_2048_BIT:
+		case MODP_3072_BIT:
+		case MODP_4096_BIT:
+		case MODP_6144_BIT:
+		case MODP_8192_BIT:
+		case MODP_1024_160:
+		case MODP_2048_224:
+		case MODP_2048_256:
+			params = diffie_hellman_get_params(group);
+			if (params)
+			{
+				valid = value.len == params->prime.len;
+			}
+			break;
+		case ECP_192_BIT:
+			valid = value.len == 48;
+			break;
+		case ECP_224_BIT:
+		case ECP_224_BP:
+			valid = value.len == 56;
+			break;
+		case ECP_256_BIT:
+		case ECP_256_BP:
+			valid = value.len == 64;
+			break;
+		case ECP_384_BIT:
+		case ECP_384_BP:
+			valid = value.len == 96;
+			break;
+		case ECP_512_BP:
+			valid = value.len == 128;
+			break;
+		case ECP_521_BIT:
+			valid = value.len == 132;
+			break;
+		case NTRU_112_BIT:
+		case NTRU_128_BIT:
+		case NTRU_192_BIT:
+		case NTRU_256_BIT:
+			/* verification currently not supported, do in plugin */
+			valid = FALSE;
+			break;
+		case MODP_NULL:
+		case MODP_CUSTOM:
+			valid = TRUE;
+			break;
+		case MODP_NONE:
+			/* fail */
+			break;
+		/* compile-warn unhandled groups, fail verification */
+	}
+	if (!valid)
+	{
+		DBG1(DBG_ENC, "invalid DH public value size (%zu bytes) for %N",
+			 value.len, diffie_hellman_group_names, group);
+	}
+	return valid;
+}
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index 105db22f1..4704cd0da 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -63,12 +63,14 @@ enum diffie_hellman_group_t {
 	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
 	MODP_NULL = 1024,
 	/** MODP group with custom generator/prime */
-	MODP_CUSTOM = 1025,
 	/** Parameters defined by IEEE 1363.1, in PRIVATE USE */
 	NTRU_112_BIT = 1030,
 	NTRU_128_BIT = 1031,
 	NTRU_192_BIT = 1032,
-	NTRU_256_BIT = 1033
+	NTRU_256_BIT = 1033,
+	/** internally used DH group with additional parameters g and p, outside
+	 * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
+	MODP_CUSTOM = 65536,
 };
 
 /**
@@ -87,9 +89,10 @@ struct diffie_hellman_t {
 	 * Space for returned secret is allocated and must be freed by the caller.
 	 *
 	 * @param secret	shared secret will be written into this chunk
-	 * @return			SUCCESS, FAILED if not both DH values are set
+	 * @return			TRUE if shared secret computed successfully
 	 */
-	status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret);
+	bool (*get_shared_secret)(diffie_hellman_t *this, chunk_t *secret)
+		__attribute__((warn_unused_result));
 
 	/**
 	 * Sets the public value of partner.
@@ -97,8 +100,10 @@ struct diffie_hellman_t {
 	 * Chunk gets cloned and can be destroyed afterwards.
 	 *
 	 * @param value		public value of partner
+	 * @return			TRUE if other public value verified and set
 	 */
-	void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value);
+	bool (*set_other_public_value)(diffie_hellman_t *this, chunk_t value)
+		__attribute__((warn_unused_result));
 
 	/**
 	 * Gets the own public value to transmit.
@@ -106,8 +111,10 @@ struct diffie_hellman_t {
 	 * Space for returned chunk is allocated and must be freed by the caller.
 	 *
 	 * @param value		public value of caller is stored at this location
+	 * @return			TRUE if public value retrieved
 	 */
-	void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value);
+	bool (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value)
+		__attribute__((warn_unused_result));
 
 	/**
 	 * Get the DH group used.
@@ -168,8 +175,17 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
  * Check if a given DH group is an ECDH group
  *
  * @param group			group to check
- * @return				TUE if group is an ECP group
+ * @return				TRUE if group is an ECP group
  */
 bool diffie_hellman_group_is_ec(diffie_hellman_group_t group);
 
+/**
+ * Check if a diffie hellman public value is valid for given group.
+ *
+ * @param group			group the value is used in
+ * @param value			public DH value to check
+ * @return				TRUE if value looks valid for group
+ */
+bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value);
+
 #endif /** DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/libstrongswan/crypto/hashers/hash_algorithm_set.c b/src/libstrongswan/crypto/hashers/hash_algorithm_set.c
new file mode 100644
index 000000000..93b67cb13
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/hash_algorithm_set.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hash_algorithm_set.h"
+
+#include <collections/array.h>
+
+typedef struct private_hash_algorithm_set_t private_hash_algorithm_set_t;
+
+struct private_hash_algorithm_set_t {
+
+	/**
+	 * Public interface
+	 */
+	hash_algorithm_set_t public;
+
+	/**
+	 * Algorithms contained in the set
+	 */
+	array_t *algorithms;
+};
+
+/**
+ * Sort hash algorithms
+ */
+static int hash_sort(const void *a, const void *b, void *user)
+{
+	const hash_algorithm_t *ha = a, *hb = b;
+	return *ha - *hb;
+}
+
+/**
+ * Find a hash algorithm
+ */
+static int hash_find(const void *a, const void *b)
+{
+	return hash_sort(a, b, NULL);
+}
+
+METHOD(hash_algorithm_set_t, contains, bool,
+	private_hash_algorithm_set_t *this, hash_algorithm_t hash)
+{
+	return array_bsearch(this->algorithms, &hash, hash_find, NULL) != -1;
+}
+
+METHOD(hash_algorithm_set_t, add, void,
+	private_hash_algorithm_set_t *this, hash_algorithm_t hash)
+{
+	if (!contains(this, hash))
+	{
+		array_insert(this->algorithms, ARRAY_TAIL, &hash);
+		array_sort(this->algorithms, hash_sort, NULL);
+	}
+}
+
+METHOD(hash_algorithm_set_t, count, int,
+	private_hash_algorithm_set_t *this)
+{
+	return array_count(this->algorithms);
+}
+
+static bool hash_filter(void *data, void **in, hash_algorithm_t *out)
+{
+	*out = **(hash_algorithm_t**)in;
+	return TRUE;
+}
+
+METHOD(hash_algorithm_set_t, create_enumerator, enumerator_t*,
+	private_hash_algorithm_set_t *this)
+{
+	return enumerator_create_filter(array_create_enumerator(this->algorithms),
+									(void*)hash_filter, NULL, NULL);
+}
+
+METHOD(hash_algorithm_set_t, destroy, void,
+	private_hash_algorithm_set_t *this)
+{
+	array_destroy(this->algorithms);
+	free(this);
+}
+
+/**
+ * Described in header
+ */
+hash_algorithm_set_t *hash_algorithm_set_create()
+{
+	private_hash_algorithm_set_t *this;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.contains = _contains,
+			.count = _count,
+			.create_enumerator = _create_enumerator,
+			.destroy = _destroy,
+		},
+		.algorithms = array_create(sizeof(hash_algorithm_t), 0),
+	);
+
+	return &this->public;
+}
\ No newline at end of file
diff --git a/src/libstrongswan/crypto/hashers/hash_algorithm_set.h b/src/libstrongswan/crypto/hashers/hash_algorithm_set.h
new file mode 100644
index 000000000..00e90cc2e
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/hash_algorithm_set.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hash_algorithm_set hash_algorithm_set
+ * @{ @ingroup crypto
+ */
+
+#ifndef HASH_ALGORITHM_SET_H_
+#define HASH_ALGORITHM_SET_H_
+
+typedef struct hash_algorithm_set_t hash_algorithm_set_t;
+
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * A set of hash algorithms
+ */
+struct hash_algorithm_set_t {
+
+	/**
+	 * Add the given algorithm to the set.
+	 *
+	 * @param alg		hash algorithm
+	 */
+	void (*add)(hash_algorithm_set_t *this, hash_algorithm_t alg);
+
+	/**
+	 * Check if the given algorithm is contained in the set.
+	 *
+	 * @param alg		hash algorithm
+	 * @return			TRUE if contained in set
+	 */
+	bool (*contains)(hash_algorithm_set_t *this, hash_algorithm_t alg);
+
+	/**
+	 * Number of hash algorithms contained in the set.
+	 *
+	 * @return			number of algorithms
+	 */
+	int (*count)(hash_algorithm_set_t *this);
+
+	/**
+	 * Enumerate the algorithms contained in the set.
+	 *
+	 * @return			enumerator over hash_algorithm_t (sorted by identifier)
+	 */
+	enumerator_t *(*create_enumerator)(hash_algorithm_set_t *this);
+
+	/**
+	 * Destroy a hash_algorithm_set_t instance
+	 */
+	void (*destroy)(hash_algorithm_set_t *this);
+};
+
+/**
+ * Create a set of hash algorithms.
+ *
+ * @return				hash_algorithm_set_t instance
+ */
+hash_algorithm_set_t *hash_algorithm_set_create();
+
+#endif /** HASH_ALGORITHM_SET_H_ @}*/
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 13cbb5a59..38eebea9c 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2015 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -19,29 +19,31 @@
 
 #include <asn1/oid.h>
 
-ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
+ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_SHA512,
+	"HASH_SHA1",
+	"HASH_SHA256",
+	"HASH_SHA384",
+	"HASH_SHA512");
+ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512,
 	"HASH_UNKNOWN",
 	"HASH_MD2",
 	"HASH_MD4",
 	"HASH_MD5",
-	"HASH_SHA1",
-	"HASH_SHA224",
-	"HASH_SHA256",
-	"HASH_SHA384",
-	"HASH_SHA512"
-);
+	"HASH_SHA224");
+ENUM_END(hash_algorithm_names, HASH_SHA224);
 
-ENUM(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA512,
+ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_SHA512,
+	"sha1",
+	"sha256",
+	"sha384",
+	"sha512");
+ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512,
 	"unknown",
 	"md2",
 	"md4",
 	"md5",
-	"sha1",
-	"sha224",
-	"sha256",
-	"sha384",
-	"sha512"
-);
+	"sha224");
+ENUM_END(hash_algorithm_short_names, HASH_SHA224);
 
 /*
  * Described in header.
@@ -249,6 +251,28 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
 /*
  * Described in header.
  */
+bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
+{
+	switch (alg)
+	{
+		case HASH_SHA1:
+		case HASH_SHA256:
+		case HASH_SHA384:
+		case HASH_SHA512:
+			return TRUE;
+		case HASH_UNKNOWN:
+		case HASH_MD2:
+		case HASH_MD4:
+		case HASH_MD5:
+		case HASH_SHA224:
+			break;
+	}
+	return FALSE;
+}
+
+/*
+ * Described in header.
+ */
 int hasher_algorithm_to_oid(hash_algorithm_t alg)
 {
 	int oid;
@@ -323,8 +347,56 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
 				default:
 					return OID_UNKNOWN;
 			}
+		case KEY_BLISS:
+			switch (alg)
+			{
+				case HASH_SHA256:
+					return OID_BLISS_WITH_SHA256;
+				case HASH_SHA384:
+					return OID_BLISS_WITH_SHA384;
+				case HASH_SHA512:
+					return OID_BLISS_WITH_SHA512;
+				default:
+					return OID_UNKNOWN;
+			}
 		default:
 			return OID_UNKNOWN;
 	}
 }
 
+/*
+ * Defined in header.
+ */
+hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
+{
+	switch (scheme)
+	{
+		case SIGN_UNKNOWN:
+		case SIGN_RSA_EMSA_PKCS1_NULL:
+		case SIGN_ECDSA_WITH_NULL:
+			break;
+		case SIGN_RSA_EMSA_PKCS1_MD5:
+			return HASH_MD5;
+		case SIGN_RSA_EMSA_PKCS1_SHA1:
+		case SIGN_ECDSA_WITH_SHA1_DER:
+			return HASH_SHA1;
+		case SIGN_RSA_EMSA_PKCS1_SHA224:
+			return HASH_SHA224;
+		case SIGN_RSA_EMSA_PKCS1_SHA256:
+		case SIGN_ECDSA_WITH_SHA256_DER:
+		case SIGN_ECDSA_256:
+		case SIGN_BLISS_WITH_SHA256:
+			return HASH_SHA256;
+		case SIGN_RSA_EMSA_PKCS1_SHA384:
+		case SIGN_ECDSA_WITH_SHA384_DER:
+		case SIGN_ECDSA_384:
+		case SIGN_BLISS_WITH_SHA384:
+			return HASH_SHA384;
+		case SIGN_RSA_EMSA_PKCS1_SHA512:
+		case SIGN_ECDSA_WITH_SHA512_DER:
+		case SIGN_ECDSA_521:
+		case SIGN_BLISS_WITH_SHA512:
+			return HASH_SHA512;
+	}
+	return HASH_UNKNOWN;
+}
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 37ef0b6ab..772586308 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2015 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -32,19 +32,19 @@ typedef struct hasher_t hasher_t;
 #include <credentials/keys/public_key.h>
 
 /**
- * Algorithms to use for hashing.
+ * Hash algorithms as defined for IKEv2 by RFC 7427
  */
 enum hash_algorithm_t {
-	/** not specified hash function */
-	HASH_UNKNOWN 		= 0,
-	HASH_MD2 			= 1,
-	HASH_MD4			= 2,
-	HASH_MD5 			= 3,
-	HASH_SHA1 			= 4,
-	HASH_SHA224			= 5,
-	HASH_SHA256 		= 6,
-	HASH_SHA384 		= 7,
-	HASH_SHA512 		= 8
+	HASH_SHA1 			= 1,
+	HASH_SHA256			= 2,
+	HASH_SHA384			= 3,
+	HASH_SHA512			= 4,
+	/* use private use range for algorithms not defined/permitted by RFC 7427 */
+	HASH_UNKNOWN 		= 1024,
+	HASH_MD2 			= 1025,
+	HASH_MD4			= 1026,
+	HASH_MD5 			= 1027,
+	HASH_SHA224			= 1028,
 };
 
 #define HASH_SIZE_MD2		16
@@ -163,6 +163,14 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
 													size_t length);
 
 /**
+ * Check if the given algorithm may be used for IKEv2 signature authentication.
+ *
+ * @param alg			hash algorithm
+ * @return				TRUE if algorithm may be used, FALSE otherwise
+ */
+bool hasher_algorithm_for_ikev2(hash_algorithm_t alg);
+
+/**
  * Conversion of hash algorithm into ASN.1 OID.
  *
  * @param alg			hash algorithm
@@ -179,4 +187,12 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg);
  */
 int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key);
 
+/**
+ * Determine the hash algorithm associated with a given signature scheme.
+ *
+ * @param scheme		signature scheme
+ * @return				hash algorithm (could be HASH_UNKNOWN)
+ */
+hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme);
+
 #endif /** HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.c b/src/libstrongswan/crypto/mgf1/mgf1.c
index 2338db208..4bbcd6e99 100644
--- a/src/libstrongswan/plugins/ntru/ntru_mgf1.c
+++ b/src/libstrongswan/crypto/mgf1/mgf1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,23 +13,23 @@
  * for more details.
  */
 
-#include "ntru_mgf1.h"
+#include "mgf1.h"
 
-#include <crypto/hashers/hasher.h>
-#include <utils/debug.h>
-#include <utils/test.h>
+#include "crypto/hashers/hasher.h"
+#include "utils/debug.h"
+#include "utils/test.h"
 
-typedef struct private_ntru_mgf1_t private_ntru_mgf1_t;
+typedef struct private_mgf1_t private_mgf1_t;
 
 /**
- * Private data of an ntru_mgf1_t object.
+ * Private data of an mgf1_t object.
  */
-struct private_ntru_mgf1_t {
+struct private_mgf1_t {
 
 	/**
-	 * Public ntru_mgf1_t interface.
+	 * Public mgf1_t interface.
 	 */
-	ntru_mgf1_t public;
+	mgf1_t public;
 
 	/**
 	 * Hasher the MGF1 Mask Generation Function is based on
@@ -58,14 +58,14 @@ struct private_ntru_mgf1_t {
 
 };
 
-METHOD(ntru_mgf1_t, get_hash_size, size_t,
-	private_ntru_mgf1_t *this)
+METHOD(mgf1_t, get_hash_size, size_t,
+	private_mgf1_t *this)
 {
 	return this->hasher->get_hash_size(this->hasher);
 }
 
-METHOD(ntru_mgf1_t, get_mask, bool,
-	private_ntru_mgf1_t *this, size_t mask_len, u_char *mask)
+METHOD(mgf1_t, get_mask, bool,
+	private_mgf1_t *this, size_t mask_len, u_char *mask)
 {
 	u_char buf[HASH_SIZE_SHA512];
 	size_t hash_len;
@@ -102,8 +102,8 @@ METHOD(ntru_mgf1_t, get_mask, bool,
 	return TRUE;
 }
 
-METHOD(ntru_mgf1_t, allocate_mask, bool,
-	private_ntru_mgf1_t *this, size_t mask_len, chunk_t *mask)
+METHOD(mgf1_t, allocate_mask, bool,
+	private_mgf1_t *this, size_t mask_len, chunk_t *mask)
 {
 	if (mask_len == 0)
 	{
@@ -115,8 +115,8 @@ METHOD(ntru_mgf1_t, allocate_mask, bool,
 	return get_mask(this, mask_len, mask->ptr);
 }
 
-METHOD(ntru_mgf1_t, destroy, void,
-	private_ntru_mgf1_t *this)
+METHOD(mgf1_t, destroy, void,
+	private_mgf1_t *this)
 {
 	this->hasher->destroy(this->hasher);
 	chunk_clear(&this->state);
@@ -126,10 +126,10 @@ METHOD(ntru_mgf1_t, destroy, void,
 /*
  * Described in header.
  */
-ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
+mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
 							  bool hash_seed)
 {
-	private_ntru_mgf1_t *this;
+	private_mgf1_t *this;
 	hasher_t *hasher;
 	size_t state_len;
 
@@ -178,5 +178,3 @@ ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
 
 	return &this->public;
 }
-
-EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.h b/src/libstrongswan/crypto/mgf1/mgf1.h
index 53e90412a..592d31596 100644
--- a/src/libstrongswan/plugins/ntru/ntru_mgf1.h
+++ b/src/libstrongswan/crypto/mgf1/mgf1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,29 +14,29 @@
  */
 
 /**
- * @defgroup ntru_mgf1 ntru_mgf1
- * @{ @ingroup ntru_p
+ * @defgroup mgf1 mgf1
+ * @{ @ingroup crypto
  */
 
-#ifndef NTRU_MGF1_H_
-#define NTRU_MGF1_H_
+#ifndef MGF1_H_
+#define MGF1_H_
 
-typedef struct ntru_mgf1_t ntru_mgf1_t;
+typedef struct mgf1_t mgf1_t;
 
 #include <library.h>
 
 /**
  * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function
- * defined in section 10.2.1 of RFC 2437 
+ * defined in section 10.2.1 of RFC 2437
  */
-struct ntru_mgf1_t {
+struct mgf1_t {
 
 	/**
 	 * Get the hash size of the underlying hash function
 	 *
 	 * @return			hash size in bytes
 	 */
-	size_t (*get_hash_size)(ntru_mgf1_t *this);
+	size_t (*get_hash_size)(mgf1_t *this);
 
 	/**
 	 * Generate a mask pattern and copy it to an output buffer
@@ -46,7 +46,7 @@ struct ntru_mgf1_t {
 	 * @param mask		output buffer of minimum size mask_len
 	 * @return			TRUE if successful
 	 */
-	bool (*get_mask)(ntru_mgf1_t *this, size_t mask_len, u_char *mask);
+	bool (*get_mask)(mgf1_t *this, size_t mask_len, u_char *mask);
 
 	/**
 	 * Generate a mask pattern and return it in an allocated chunk
@@ -55,12 +55,12 @@ struct ntru_mgf1_t {
 	 * @param mask		chunk containing generated mask
 	 * @return			TRUE if successful
 	 */
-	bool (*allocate_mask)(ntru_mgf1_t *this, size_t mask_len, chunk_t *mask);
+	bool (*allocate_mask)(mgf1_t *this, size_t mask_len, chunk_t *mask);
 
 	/**
 	 * Destroy the MGF1 object
 	 */
-	void (*destroy)(ntru_mgf1_t *this);
+	void (*destroy)(mgf1_t *this);
 };
 
 /**
@@ -68,10 +68,10 @@ struct ntru_mgf1_t {
  *
  * @param alg			hash algorithm to be used by MGF1
  * @param seed			seed used by MGF1 to generate mask from
- * @param hash_seed		hash seed before using it as a seed from MGF1
+ * @param hash_seed		hash seed before using it as a seed for MGF1
  */
-ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
+mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
 							  bool hash_seed);
 
-#endif /** NTRU_MGF1_H_ @}*/
+#endif /** MGF1_H_ @}*/
 
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
new file mode 100644
index 000000000..ef0a2bd01
--- /dev/null
+++ b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mgf1_bitspender.h"
+
+#include <crypto/mgf1/mgf1.h>
+
+typedef struct private_mgf1_bitspender_t private_mgf1_bitspender_t;
+
+/**
+ * Private data structure for mgf1_bitspender_t object
+ */
+struct private_mgf1_bitspender_t {
+	/**
+	 * Public interface.
+	 */
+	mgf1_bitspender_t public;
+
+	/**
+	 * MGF1 bit mask generator
+	 */
+	mgf1_t *mgf1;
+
+	/**
+	 * Octet storage (accommodates up to 64 octets)
+	 */
+	uint8_t octets[HASH_SIZE_SHA512];
+
+	/**
+	 * Length of the returned hash value in octets
+	 */
+	int hash_len;
+
+	/**
+	 * Number of generated octets
+	 */
+	int octets_count;
+
+	/**
+	 * Number of available octets
+	 */
+	int octets_left;
+
+	/**
+	 * Bit storage (accommodates up to 32 bits)
+	 */
+	uint32_t bits;
+
+	/**
+	 * Number of available bits
+	 */
+	int bits_left;
+
+	/**
+	 * Byte storage (accommodates up to 4 bytes)
+	 */
+	uint8_t bytes[4];
+
+	/**
+	 * Number of available bytes
+	 */
+	int bytes_left;
+
+};
+
+METHOD(mgf1_bitspender_t, get_bits, bool,
+	private_mgf1_bitspender_t *this, int bits_needed, uint32_t *bits)
+{
+	int bits_now;
+
+	*bits = 0x00000000;
+
+	if (bits_needed == 0)
+	{
+		/* trivial */
+		return TRUE;
+	}
+	if (bits_needed > 32)
+	{
+		/* too many bits requested */
+		return FALSE;
+	}
+
+	while (bits_needed)
+	{
+		if (this->bits_left == 0)
+		{
+			if (this->octets_left == 0)
+			{
+				/* get another block from MGF1 */
+				if (!this->mgf1->get_mask(this->mgf1, this->hash_len,
+													  this->octets))
+				{
+					/* no block available */
+					return FALSE;
+				}
+				this->octets_left = this->hash_len;
+				this->octets_count += this->hash_len;
+			}
+			this->bits = untoh32(this->octets + this->hash_len -
+												this->octets_left);
+			this->bits_left = 32;
+			this->octets_left -= 4;
+		}
+		if (bits_needed > this->bits_left)
+		{
+			bits_now = this->bits_left;
+			this->bits_left = 0;
+			bits_needed -= bits_now;
+		}
+		else
+		{
+			bits_now = bits_needed;
+			this->bits_left -= bits_needed;
+			bits_needed = 0;
+		}
+		if (bits_now == 32)
+		{
+			*bits = this->bits;
+		}
+		else
+		{
+			*bits <<= bits_now;
+			*bits |= this->bits >> this->bits_left;
+			if (this->bits_left)
+			{
+				this->bits &= 0xffffffff >> (32 - this->bits_left);
+			}
+		}
+	}
+	return TRUE;
+}
+
+METHOD(mgf1_bitspender_t, get_byte, bool,
+	private_mgf1_bitspender_t *this, uint8_t *byte)
+{
+	if (this->bytes_left == 0)
+	{
+		if (this->octets_left == 0)
+		{
+			/* get another block from MGF1 */
+			if (!this->mgf1->get_mask(this->mgf1, this->hash_len, this->octets))
+			{
+				/* no block available */
+				return FALSE;
+			}
+			this->octets_left = this->hash_len;
+			this->octets_count += this->hash_len;
+		}
+		memcpy(this->bytes, this->octets + this->hash_len -	this->octets_left, 4);
+		this->bytes_left = 4;
+		this->octets_left -= 4;
+	}
+	*byte = this->bytes[4 - this->bytes_left--];
+
+	return TRUE;
+}
+
+METHOD(mgf1_bitspender_t, destroy, void,
+	private_mgf1_bitspender_t *this)
+{
+	DBG2(DBG_LIB, "mgf1 generated %u octets", this->octets_count);
+	memwipe(this->octets, sizeof(this->octets));
+	this->mgf1->destroy(this->mgf1);
+	free(this);
+}
+
+/**
+ * See header.
+ */
+mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
+										  bool hash_seed)
+{
+	private_mgf1_bitspender_t *this;
+	mgf1_t *mgf1;
+
+	mgf1 = mgf1_create(alg, seed, hash_seed);
+	if (!mgf1)
+	{
+	    return NULL;
+	}
+	DBG2(DBG_LIB, "mgf1 based on %N is seeded with %u octets",
+				   hash_algorithm_short_names, alg, seed.len);
+
+	INIT(this,
+		.public = {
+			.get_bits = _get_bits,
+			.get_byte = _get_byte,
+			.destroy = _destroy,
+		},
+		.mgf1 = mgf1,
+		.hash_len = mgf1->get_hash_size(mgf1),
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
new file mode 100644
index 000000000..f7df8e834
--- /dev/null
+++ b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mgf1_bitspender mgf1_bitspender
+ * @{ @ingroup mgf1
+ */
+
+#ifndef MGF1_BITSPENDER_H_
+#define MGF1_BITSPENDER_H_
+
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct mgf1_bitspender_t mgf1_bitspender_t;
+
+/**
+ * Generates a given number of pseudo-random bits at a time using MGF1
+ */
+struct mgf1_bitspender_t {
+
+	/**
+	 * Get pseudo-random bits
+	 *
+	 * @param bits_needed	Number of needed bits (1..32)
+	 * @param bits			Pseudo-random bits
+	 * @result				FALSE if internal MGF1 error occurred
+	 */
+	bool (*get_bits)(mgf1_bitspender_t *this, int bits_needed, uint32_t *bits);
+
+	/**
+	 * Get a pseudo-random byte
+	 *
+	 * @param byte			Pseudo-random byte
+	 * @result				FALSE if internal MGF1 error occurred
+	 */
+	bool (*get_byte)(mgf1_bitspender_t *this, uint8_t *byte);
+
+	/**
+	 * Destroy mgf1_bitspender_t object
+	 */
+	void (*destroy)(mgf1_bitspender_t *this);
+};
+
+/**
+ * Create a mgf1_bitspender_t object
+ *
+ * @param alg				Hash algorithm to be used with MGF1
+ * @param seed				Seed used to initialize MGF1
+ * @param hash_seed			Hash seed before using it as a seed for MFG1
+ */
+mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
+										  bool hash_seed);
+
+#endif /** MGF1_BITSPENDER_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c
index 3b4df0e8a..478926f2f 100644
--- a/src/libstrongswan/crypto/pkcs5.c
+++ b/src/libstrongswan/crypto/pkcs5.c
@@ -108,13 +108,13 @@ struct private_pkcs5_t {
  * Verify padding of decrypted blob.
  * Length of blob is adjusted accordingly.
  */
-static bool verify_padding(chunk_t *blob)
+static bool verify_padding(crypter_t *crypter, chunk_t *blob)
 {
 	u_int8_t padding, count;
 
 	padding = count = blob->ptr[blob->len - 1];
 
-	if (padding > 8)
+	if (padding > crypter->get_block_size(crypter))
 	{
 		return FALSE;
 	}
@@ -153,7 +153,7 @@ static bool decrypt_generic(private_pkcs5_t *this, chunk_t password,
 		return FALSE;
 	}
 	memwipe(keymat.ptr, keymat.len);
-	if (verify_padding(decrypted))
+	if (verify_padding(this->crypter, decrypted))
 	{
 		return TRUE;
 	}
@@ -504,6 +504,7 @@ static bool parse_pbes2_params(private_pkcs5_t *this, chunk_t blob, int level0)
 {
 	asn1_parser_t *parser;
 	chunk_t object, params;
+	size_t keylen;
 	int objectID;
 	bool success = FALSE;
 
@@ -533,20 +534,35 @@ static bool parse_pbes2_params(private_pkcs5_t *this, chunk_t blob, int level0)
 			{
 				int oid = asn1_parse_algorithmIdentifier(object,
 									parser->get_level(parser) + 1, &params);
-				if (oid != OID_3DES_EDE_CBC)
+				this->encr = encryption_algorithm_from_oid(oid, &keylen);
+				if (this->encr == ENCR_UNDEFINED)
 				{	/* unsupported encryption scheme */
 					goto end;
 				}
-				if (this->keylen <= 0)
-				{	/* default key length for DES-EDE3-CBC-Pad */
-					this->keylen = 24;
+				/* prefer encoded key length */
+				this->keylen = this->keylen ?: keylen / 8;
+				if (!this->keylen)
+				{	/* set default key length for known algorithms */
+					switch (this->encr)
+					{
+						case ENCR_DES:
+							this->keylen = 8;
+							break;
+						case ENCR_3DES:
+							this->keylen = 24;
+							break;
+						case ENCR_BLOWFISH:
+							this->keylen = 16;
+							break;
+						default:
+							goto end;
+					}
 				}
 				if (!asn1_parse_simple_object(&params, ASN1_OCTET_STRING,
 									parser->get_level(parser) + 1, "IV"))
 				{
 					goto end;
 				}
-				this->encr = ENCR_3DES;
 				this->data.pbes2.iv = chunk_clone(params);
 				break;
 			}
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
index 4bbd918a0..f2ee11ee8 100644
--- a/src/libstrongswan/ipsec/ipsec_types.c
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -48,7 +48,15 @@ bool mark_from_string(const char *value, mark_t *mark)
 	{
 		return FALSE;
 	}
-	mark->value = strtoul(value, &endptr, 0);
+	if (strcasepfx(value, "%unique"))
+	{
+		mark->value = MARK_UNIQUE;
+		endptr = (char*)value + strlen("%unique");
+	}
+	else
+	{
+		mark->value = strtoul(value, &endptr, 0);
+	}
 	if (*endptr)
 	{
 		if (*endptr != '/')
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
index c1465e097..fa122af30 100644
--- a/src/libstrongswan/ipsec/ipsec_types.h
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -169,9 +169,9 @@ struct mark_t {
 };
 
 /**
- * Special mark value that uses the reqid of the CHILD_SA as mark
+ * Special mark value that uses a unique mark for each CHILD_SA
  */
-#define MARK_REQID (0xFFFFFFFF)
+#define MARK_UNIQUE (0xFFFFFFFF)
 
 /**
  * Try to parse a mark_t from the given string of the form mark[/mask].
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 2bd5e3523..3a6dd1ba4 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -79,6 +79,9 @@
  *
  * @defgroup utils utils
  * @ingroup libstrongswan
+ *
+ * @defgroup compat compat
+ * @ingroup utils
  */
 
 /**
diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
index 8d04a4ec9..07da3ef3b 100644
--- a/src/libstrongswan/networking/host.c
+++ b/src/libstrongswan/networking/host.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2014 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -528,6 +528,42 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
 /*
  * Described in header.
  */
+bool host_create_from_range(char *string, host_t **from, host_t **to)
+{
+	char *sep, *pos;
+
+	sep = strchr(string, '-');
+	if (!sep)
+	{
+		return FALSE;
+	}
+	for (pos = sep+1; *pos && *pos == ' '; pos++)
+	{
+		/* trim spaces before to address*/
+	}
+	*to = host_create_from_string(pos, 0);
+	if (!*to)
+	{
+		return FALSE;
+	}
+	for (pos = sep-1; pos > string && *pos == ' '; pos--)
+	{
+		/* trim spaces behind from address */
+	}
+	pos = strndup(string, pos - string + 1);
+	*from = host_create_from_string_and_family(pos, (*to)->get_family(*to), 0);
+	free(pos);
+	if (!*from)
+	{
+		(*to)->destroy(*to);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/*
+ * Described in header.
+ */
 host_t *host_create_from_subnet(char *string, int *bits)
 {
 	char *pos, buf[64];
diff --git a/src/libstrongswan/networking/host.h b/src/libstrongswan/networking/host.h
index 9c9b5035f..db6f4dd49 100644
--- a/src/libstrongswan/networking/host.h
+++ b/src/libstrongswan/networking/host.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2014 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -24,6 +24,9 @@
 #ifndef HOST_H_
 #define HOST_H_
 
+#include <utils/utils.h>
+#include <utils/chunk.h>
+
 typedef enum host_diff_t host_diff_t;
 typedef struct host_t host_t;
 
@@ -31,9 +34,6 @@ typedef struct host_t host_t;
 #include <stdio.h>
 #include <sys/types.h>
 
-#include <utils/utils.h>
-#include <utils/chunk.h>
-
 /**
  * Representates a Host
  *
@@ -181,6 +181,19 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
 host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
 
 /**
+ * Parse a range definition (1.2.3.0-1.2.3.5), return the two hosts.
+ *
+ * The two hosts are not ordered, from is simply the first, to is the second,
+ * from is not necessarily smaller.
+ *
+ * @param string		string to parse
+ * @param from			returns the first address (out)
+ * @param to			returns the second address (out)
+ * @return				TRUE if parsed successfully, FALSE otherwise
+ */
+bool host_create_from_range(char *string, host_t **from, host_t **to);
+
+/**
  * Create a host from a CIDR subnet definition (1.2.3.0/24), return bits.
  *
  * @param string		string to parse
diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c
index a7524ac23..bad87e434 100644
--- a/src/libstrongswan/networking/host_resolver.c
+++ b/src/libstrongswan/networking/host_resolver.c
@@ -163,20 +163,25 @@ static void *resolve_hosts(private_host_resolver_t *this)
 	int error;
 	bool old, timed_out;
 
+	/* default resolver threads to non-cancellable */
+	thread_cancelability(FALSE);
+
 	while (TRUE)
 	{
 		this->mutex->lock(this->mutex);
-		thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
 		while (this->queue->remove_first(this->queue,
 										(void**)&query) != SUCCESS)
 		{
-			old = thread_cancelability(TRUE);
+			if (this->disabled)
+			{
+				this->mutex->unlock(this->mutex);
+				return NULL;
+			}
 			timed_out = this->new_query->timed_wait(this->new_query,
 									this->mutex, NEW_QUERY_WAIT_TIMEOUT * 1000);
-			thread_cancelability(old);
 			if (this->disabled)
 			{
-				thread_cleanup_pop(TRUE);
+				this->mutex->unlock(this->mutex);
 				return NULL;
 			}
 			else if (timed_out && (this->threads > this->min_threads))
@@ -185,13 +190,13 @@ static void *resolve_hosts(private_host_resolver_t *this)
 
 				this->threads--;
 				this->pool->remove(this->pool, thread, NULL);
-				thread_cleanup_pop(TRUE);
+				this->mutex->unlock(this->mutex);
 				thread->detach(thread);
 				return NULL;
 			}
 		}
 		this->busy_threads++;
-		thread_cleanup_pop(TRUE);
+		this->mutex->unlock(this->mutex);
 
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = query->family;
diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c
index ff2c4a337..81d215677 100644
--- a/src/libstrongswan/networking/tun_device.c
+++ b/src/libstrongswan/networking/tun_device.c
@@ -346,40 +346,27 @@ METHOD(tun_device_t, write_packet, bool,
 METHOD(tun_device_t, read_packet, bool,
 	private_tun_device_t *this, chunk_t *packet)
 {
+	chunk_t data;
 	ssize_t len;
-	fd_set set;
 	bool old;
 
-	FD_ZERO(&set);
-	FD_SET(this->tunfd, &set);
+	data = chunk_alloca(get_mtu(this));
 
 	old = thread_cancelability(TRUE);
-	len = select(this->tunfd + 1, &set, NULL, NULL, NULL);
+	len = read(this->tunfd, data.ptr, data.len);
 	thread_cancelability(old);
-
-	if (len < 0)
-	{
-		DBG1(DBG_LIB, "select on TUN device %s failed: %s", this->if_name,
-			 strerror(errno));
-		return FALSE;
-	}
-	/* FIXME: this is quite expensive for lots of small packets, copy from
-	 * local buffer instead? */
-	*packet = chunk_alloc(get_mtu(this));
-	len = read(this->tunfd, packet->ptr, packet->len);
 	if (len < 0)
 	{
 		DBG1(DBG_LIB, "reading from TUN device %s failed: %s", this->if_name,
 			 strerror(errno));
-		chunk_free(packet);
 		return FALSE;
 	}
-	packet->len = len;
+	data.len = len;
 #ifdef __APPLE__
 	/* UTUN's prepend packets with a 32-bit protocol number */
-	packet->len -= sizeof(u_int32_t);
-	memmove(packet->ptr, packet->ptr + sizeof(u_int32_t), packet->len);
+	data = chunk_skip(data, sizeof(u_int32_t));
 #endif
+	*packet = chunk_clone(data);
 	return TRUE;
 }
 
diff --git a/src/libstrongswan/networking/tun_device.h b/src/libstrongswan/networking/tun_device.h
index 543125beb..880369ba7 100644
--- a/src/libstrongswan/networking/tun_device.h
+++ b/src/libstrongswan/networking/tun_device.h
@@ -31,8 +31,6 @@ typedef struct tun_device_t tun_device_t;
  * Class to create TUN devices
  *
  * Creating such a device requires the CAP_NET_ADMIN capability.
- *
- * @note The implementation is currently very Linux specific
  */
 struct tun_device_t {
 
@@ -42,7 +40,7 @@ struct tun_device_t {
 	 * @note This call blocks until a packet is available. It is a thread
 	 * cancellation point.
 	 *
-	 * @param packet		the packet read from the device
+	 * @param packet		the packet read from the device, allocated
 	 * @return				TRUE if successful
 	 */
 	bool (*read_packet)(tun_device_t *this, chunk_t *packet);
diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
index 425e8f1a9..65542ea5d 100644
--- a/src/libstrongswan/plugins/acert/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 11dcf2907..9d79c81ee 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 279000d88..4a86f9640 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
index 720738a84..2b7d51376 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_prf.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
@@ -139,6 +139,7 @@ METHOD(prf_t, set_key, bool,
 {
 	char buf[this->block_size];
 
+	this->ops->reset(this->ops);
 	if (this->xcbc)
 	{
 		/* The kernel currently does not support variable length XCBC keys,
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
index 6ee380633..9ad01103a 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_signer.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
@@ -156,6 +156,7 @@ METHOD(signer_t, get_block_size, size_t,
 METHOD(signer_t, set_key, bool,
 	private_af_alg_signer_t *this, chunk_t key)
 {
+	this->ops->reset(this->ops);
 	return this->ops->set_key(this->ops, key);
 }
 
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index c8e8112c5..292c2fd90 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/bliss/Makefile.am b/src/libstrongswan/plugins/bliss/Makefile.am
new file mode 100644
index 000000000..e2aaaf55c
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/Makefile.am
@@ -0,0 +1,54 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS) \
+	@COVERAGE_CFLAGS@
+
+# these file are also used by bliss_huffman
+noinst_LTLIBRARIES = libbliss-params.la
+libbliss_params_la_SOURCES = \
+	bliss_param_set.h bliss_param_set.c \
+	bliss_fft_params.h bliss_fft_params.c
+
+# these files are also used by the tests, we can't directly refer to them
+# because of the subdirectory, which would cause distclean to fail
+noinst_LTLIBRARIES += libbliss.la
+libbliss_la_SOURCES = \
+	bliss_private_key.h bliss_private_key.c \
+	bliss_public_key.h bliss_public_key.c \
+	bliss_signature.h bliss_signature.c \
+	bliss_utils.h bliss_utils.c \
+	bliss_bitpacker.h bliss_bitpacker.c \
+	bliss_fft.h bliss_fft.c \
+	bliss_huffman_code.h bliss_huffman_code.c \
+	bliss_huffman_code_1.c bliss_huffman_code_3.c bliss_huffman_code_4.c \
+	bliss_huffman_coder.h bliss_huffman_coder.c \
+	bliss_sampler.h bliss_sampler.c
+libbliss_la_LIBADD = libbliss-params.la
+
+if MONOLITHIC
+noinst_LTLIBRARIES += libstrongswan-bliss.la
+else
+plugin_LTLIBRARIES = libstrongswan-bliss.la
+endif
+
+libstrongswan_bliss_la_SOURCES = \
+	bliss_plugin.h bliss_plugin.c
+
+libstrongswan_bliss_la_LDFLAGS = -module -avoid-version
+
+libstrongswan_bliss_la_LIBADD = libbliss.la
+
+noinst_PROGRAMS = bliss_huffman
+
+bliss_huffman_SOURCES = bliss_huffman.c
+bliss_huffman_LDADD = -lm libbliss-params.la
+
+recreate-bliss-huffman :	bliss_huffman bliss_huffman_code.h
+	$(AM_V_GEN) \
+	./bliss_huffman 1  8 > $(srcdir)/bliss_huffman_code_1.c 2>/dev/null
+	$(AM_V_GEN) \
+	./bliss_huffman 3 16 > $(srcdir)/bliss_huffman_code_3.c 2>/dev/null
+	$(AM_V_GEN) \
+	./bliss_huffman 4 32 > $(srcdir)/bliss_huffman_code_4.c 2>/dev/null
diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in
new file mode 100644
index 000000000..1361dd340
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/Makefile.in
@@ -0,0 +1,862 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@MONOLITHIC_TRUE@am__append_1 = libstrongswan-bliss.la
+noinst_PROGRAMS = bliss_huffman$(EXEEXT)
+subdir = src/libstrongswan/plugins/bliss
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libbliss_params_la_LIBADD =
+am_libbliss_params_la_OBJECTS = bliss_param_set.lo bliss_fft_params.lo
+libbliss_params_la_OBJECTS = $(am_libbliss_params_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libbliss_la_DEPENDENCIES = libbliss-params.la
+am_libbliss_la_OBJECTS = bliss_private_key.lo bliss_public_key.lo \
+	bliss_signature.lo bliss_utils.lo bliss_bitpacker.lo \
+	bliss_fft.lo bliss_huffman_code.lo bliss_huffman_code_1.lo \
+	bliss_huffman_code_3.lo bliss_huffman_code_4.lo \
+	bliss_huffman_coder.lo bliss_sampler.lo
+libbliss_la_OBJECTS = $(am_libbliss_la_OBJECTS)
+libstrongswan_bliss_la_DEPENDENCIES = libbliss.la
+am_libstrongswan_bliss_la_OBJECTS = bliss_plugin.lo
+libstrongswan_bliss_la_OBJECTS = $(am_libstrongswan_bliss_la_OBJECTS)
+libstrongswan_bliss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_bliss_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_bliss_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_bliss_la_rpath =
+PROGRAMS = $(noinst_PROGRAMS)
+am_bliss_huffman_OBJECTS = bliss_huffman.$(OBJEXT)
+bliss_huffman_OBJECTS = $(am_bliss_huffman_OBJECTS)
+bliss_huffman_DEPENDENCIES = libbliss-params.la
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libbliss_params_la_SOURCES) $(libbliss_la_SOURCES) \
+	$(libstrongswan_bliss_la_SOURCES) $(bliss_huffman_SOURCES)
+DIST_SOURCES = $(libbliss_params_la_SOURCES) $(libbliss_la_SOURCES) \
+	$(libstrongswan_bliss_la_SOURCES) $(bliss_huffman_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS) \
+	@COVERAGE_CFLAGS@
+
+
+# these file are also used by bliss_huffman
+
+# these files are also used by the tests, we can't directly refer to them
+# because of the subdirectory, which would cause distclean to fail
+noinst_LTLIBRARIES = libbliss-params.la libbliss.la $(am__append_1)
+libbliss_params_la_SOURCES = \
+	bliss_param_set.h bliss_param_set.c \
+	bliss_fft_params.h bliss_fft_params.c
+
+libbliss_la_SOURCES = \
+	bliss_private_key.h bliss_private_key.c \
+	bliss_public_key.h bliss_public_key.c \
+	bliss_signature.h bliss_signature.c \
+	bliss_utils.h bliss_utils.c \
+	bliss_bitpacker.h bliss_bitpacker.c \
+	bliss_fft.h bliss_fft.c \
+	bliss_huffman_code.h bliss_huffman_code.c \
+	bliss_huffman_code_1.c bliss_huffman_code_3.c bliss_huffman_code_4.c \
+	bliss_huffman_coder.h bliss_huffman_coder.c \
+	bliss_sampler.h bliss_sampler.c
+
+libbliss_la_LIBADD = libbliss-params.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-bliss.la
+libstrongswan_bliss_la_SOURCES = \
+	bliss_plugin.h bliss_plugin.c
+
+libstrongswan_bliss_la_LDFLAGS = -module -avoid-version
+libstrongswan_bliss_la_LIBADD = libbliss.la
+bliss_huffman_SOURCES = bliss_huffman.c
+bliss_huffman_LDADD = -lm libbliss-params.la
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libbliss-params.la: $(libbliss_params_la_OBJECTS) $(libbliss_params_la_DEPENDENCIES) $(EXTRA_libbliss_params_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK)  $(libbliss_params_la_OBJECTS) $(libbliss_params_la_LIBADD) $(LIBS)
+
+libbliss.la: $(libbliss_la_OBJECTS) $(libbliss_la_DEPENDENCIES) $(EXTRA_libbliss_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK)  $(libbliss_la_OBJECTS) $(libbliss_la_LIBADD) $(LIBS)
+
+libstrongswan-bliss.la: $(libstrongswan_bliss_la_OBJECTS) $(libstrongswan_bliss_la_DEPENDENCIES) $(EXTRA_libstrongswan_bliss_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_bliss_la_LINK) $(am_libstrongswan_bliss_la_rpath) $(libstrongswan_bliss_la_OBJECTS) $(libstrongswan_bliss_la_LIBADD) $(LIBS)
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+
+bliss_huffman$(EXEEXT): $(bliss_huffman_OBJECTS) $(bliss_huffman_DEPENDENCIES) $(EXTRA_bliss_huffman_DEPENDENCIES) 
+	@rm -f bliss_huffman$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(bliss_huffman_OBJECTS) $(bliss_huffman_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_bitpacker.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_fft.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_fft_params.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_3.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_4.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_coder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_param_set.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_sampler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_signature.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_utils.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-noinstPROGRAMS clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \
+	clean-pluginLTLIBRARIES cscopelist-am ctags ctags-am distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+recreate-bliss-huffman :	bliss_huffman bliss_huffman_code.h
+	$(AM_V_GEN) \
+	./bliss_huffman 1  8 > $(srcdir)/bliss_huffman_code_1.c 2>/dev/null
+	$(AM_V_GEN) \
+	./bliss_huffman 3 16 > $(srcdir)/bliss_huffman_code_3.c 2>/dev/null
+	$(AM_V_GEN) \
+	./bliss_huffman 4 32 > $(srcdir)/bliss_huffman_code_4.c 2>/dev/null
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/bliss/bliss_bitpacker.c b/src/libstrongswan/plugins/bliss/bliss_bitpacker.c
new file mode 100644
index 000000000..4d8446119
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_bitpacker.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY;https://www.hsr.ch/HSR-intern-Anmeldung.4409.0.html?&no_cache=1 without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_bitpacker.h"
+
+typedef struct private_bliss_bitpacker_t private_bliss_bitpacker_t;
+
+/**
+ * Private data structure for bliss_bitpacker_t object
+ */
+struct private_bliss_bitpacker_t {
+	/**
+	 * Public interface.
+	 */
+	bliss_bitpacker_t public;
+
+	/**
+	 * Current number of bits written to buffer
+	 */
+	size_t bits;
+
+	/**
+	 * Bit buffer for up to 32 bits
+	 */
+	uint32_t bits_buf;
+
+	/**
+	 * Bits left in the bit buffer
+	 */
+	size_t bits_left;
+
+	/**
+	 * Buffer
+	 */
+	chunk_t buf;
+
+	/**
+	 * Read/Write pointer into buffer
+	 */
+	chunk_t pos;
+
+};
+
+METHOD(bliss_bitpacker_t, get_bits, size_t,
+	private_bliss_bitpacker_t *this)
+{
+	return this->bits;
+}
+
+METHOD(bliss_bitpacker_t, write_bits, bool,
+	private_bliss_bitpacker_t *this, uint32_t value, size_t bits)
+{
+	if (bits == 0)
+	{
+		return TRUE;
+	}
+	if (bits > 32)
+	{
+		return FALSE;
+	}
+	if (bits < 32)
+	{
+		value &= (1 << bits) - 1;
+	}
+	this->bits += bits;
+
+	while (TRUE)
+	{
+		if (bits <= this->bits_left)
+		{
+			this->bits_buf |= value << (this->bits_left - bits);
+			this->bits_left -= bits;
+			return TRUE;
+		}
+
+		this->bits_buf |= value >> (bits - this->bits_left);
+		value &= (1 << (bits - this->bits_left)) - 1;
+		bits -= this->bits_left;
+
+		if (this->pos.len < 8)
+		{
+			return FALSE;
+		}
+		htoun32(this->pos.ptr, this->bits_buf);
+		this->pos = chunk_skip(this->pos, 4);
+		this->bits_buf = 0;
+		this->bits_left = 32;
+	}
+}
+
+METHOD(bliss_bitpacker_t, read_bits, bool,
+	private_bliss_bitpacker_t *this, uint32_t *value, size_t bits)
+{
+	if (bits > 32)
+	{
+		return FALSE;
+	}
+	*value = 0;
+
+	while (TRUE)
+	{
+		if (this->bits_left == 0)
+		{
+			if (this->pos.len < 4)
+			{
+				return FALSE;
+			}
+			this->bits_buf = untoh32(this->pos.ptr);
+			this->pos = chunk_skip(this->pos, 4);
+			this->bits_left = 32;
+		}
+		if (bits <= this->bits_left)
+		{
+			*value |= this->bits_buf >> (this->bits_left - bits);
+			this->bits_buf &= (1 << (this->bits_left - bits)) - 1;
+			this->bits_left -= bits;
+
+			return TRUE;
+		}
+		*value |= this->bits_buf << (bits - this->bits_left);
+		bits -= this->bits_left;
+		this->bits_left = 0;
+	}
+}
+
+METHOD(bliss_bitpacker_t, extract_buf, chunk_t,
+	private_bliss_bitpacker_t *this)
+{
+	chunk_t buf;
+
+	htoun32(this->pos.ptr, this->bits_buf);
+	this->pos.len -= 4;
+	buf = this->buf;
+	buf.len = this->buf.len - this->pos.len - this->bits_left/8;
+	this->buf = this->pos = chunk_empty;
+
+	return buf;
+}
+
+METHOD(bliss_bitpacker_t, destroy, void,
+	private_bliss_bitpacker_t *this)
+{
+	free(this->buf.ptr);
+	free(this);
+}
+
+/**
+ * See header.
+ */
+bliss_bitpacker_t *bliss_bitpacker_create(uint16_t max_bits)
+{
+	private_bliss_bitpacker_t *this;
+
+	INIT(this,
+		.public = {
+			.get_bits = _get_bits,
+			.write_bits = _write_bits,
+			.read_bits = _read_bits,
+			.extract_buf = _extract_buf,
+			.destroy = _destroy,
+		},
+		.bits_left = 32,
+		.buf = chunk_alloc(round_up(max_bits, 32)/8),
+	);
+
+	this->pos = this->buf;
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+bliss_bitpacker_t *bliss_bitpacker_create_from_data(chunk_t data)
+{
+	private_bliss_bitpacker_t *this;
+
+	INIT(this,
+		.public = {
+			.get_bits = _get_bits,
+			.write_bits = _write_bits,
+			.read_bits = _read_bits,
+			.extract_buf = _extract_buf,
+			.destroy = _destroy,
+		},
+		.bits = 8 * data.len,
+		.buf = chunk_alloc(round_up(data.len, 4)),
+	);
+
+	memset(this->buf.ptr + this->buf.len - 4, 0x00, 4);
+	memcpy(this->buf.ptr, data.ptr, data.len);
+	this->pos = this->buf;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_bitpacker.h b/src/libstrongswan/plugins/bliss/bliss_bitpacker.h
new file mode 100644
index 000000000..2fe6cba1c
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_bitpacker.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_bitpacker bliss_bitpacker
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_BITPACKER_H_
+#define BLISS_BITPACKER_H_
+
+#include <library.h>
+
+typedef struct bliss_bitpacker_t bliss_bitpacker_t;
+
+/**
+ * Reads and writes a variable number of bits in packed format
+ * from and to an octet buffer
+ */
+struct bliss_bitpacker_t {
+
+	/**
+	 * Get the number of bits written into buffer
+	 *
+	 * @result			Number of bits written
+	 */
+	size_t (*get_bits)(bliss_bitpacker_t *this);
+
+	/**
+	 * Get the prime modulus of the Number Theoretic Transform
+	 *
+	 * @param value		Value to be written
+	 * @param bits		Number of bits to be written
+	 * @result			TRUE if value could be written into buffer
+	 */
+	bool (*write_bits)(bliss_bitpacker_t *this, uint32_t value, size_t bits);
+
+
+	/**
+	 * Get the prime modulus of the Number Theoretic Transform
+	 *
+	 * @param value		Value returned
+	 * @param bits		Number of bits to be read
+	 * @result			TRUE if value could be read from buffer
+	 */
+	bool (*read_bits)(bliss_bitpacker_t *this, uint32_t *value, size_t bits);
+
+	/**
+	 * Detach the internal octet buffer and return it
+	 */
+	chunk_t (*extract_buf)(bliss_bitpacker_t *this);
+
+	/**
+	 * Destroy bliss_bitpacker_t object
+	 */
+	void (*destroy)(bliss_bitpacker_t *this);
+};
+
+/**
+ * Create a bliss_bitpacker_t object for writing
+ *
+ * @param max_bits		Total number of bits to be stored
+ */
+bliss_bitpacker_t* bliss_bitpacker_create(uint16_t max_bits);
+
+/**
+ * Create a bliss_bitpacker_t object for reading
+ *
+ * @param data			Packed array of bits
+ */
+bliss_bitpacker_t* bliss_bitpacker_create_from_data(chunk_t data);
+
+#endif /** BLISS_BITPACKER_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft.c b/src/libstrongswan/plugins/bliss/bliss_fft.c
new file mode 100644
index 000000000..033c2144e
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_fft.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_fft.h"
+
+typedef struct private_bliss_fft_t private_bliss_fft_t;
+
+/**
+ * Private data structure for bliss_fft_t object
+ */
+struct private_bliss_fft_t {
+	/**
+	 * Public interface.
+	 */
+	bliss_fft_t public;
+
+	/**
+	 * FFT parameter set used as constants
+	 */
+	bliss_fft_params_t *p;
+
+};
+
+METHOD(bliss_fft_t, get_size, uint16_t,
+	private_bliss_fft_t *this)
+{
+	return this->p->n;
+}
+
+METHOD(bliss_fft_t, get_modulus, uint16_t,
+	private_bliss_fft_t *this)
+{
+	return this->p->q;
+}
+
+/**
+ * Do an FFT butterfly operation
+ *
+ * x[i1] ---|+|------- x[i1]
+ *        \/
+ *        /\    w[iw]  
+ * x[i2] ---|-|--|*|-- x[i2]
+ *
+ */
+static void butterfly(private_bliss_fft_t *this, uint32_t *x, int i1,int i2,
+															  int iw)
+{
+	uint32_t xp, xm;
+
+	xp = x[i1] + x[i2];
+	xm = x[i1] + (this->p->q - x[i2]);
+	if (xp >= this->p->q)
+	{
+		xp -= this->p->q;
+	}
+	x[i1] =  xp;
+	x[i2] = (xm * this->p->w[iw]) % this->p->q;
+}
+
+/**
+ * Trivial butterfly operation of last FFT stage
+ */
+static void butterfly_last(private_bliss_fft_t *this, uint32_t *x, int i1)
+{
+	uint32_t xp, xm;
+	int i2 = i1 + 1;
+
+	xp = x[i1] + x[i2];
+	xm = x[i1] + (this->p->q - x[i2]);
+	if (xp >= this->p->q)
+	{
+		xp -= this->p->q;
+	}
+	if (xm >= this->p->q)
+	{
+		xm -= this->p->q;
+	}
+	x[i1] = xp;
+	x[i2] = xm;
+}
+
+METHOD(bliss_fft_t, transform, void,
+	private_bliss_fft_t *this, uint32_t *a, uint32_t *b, bool inverse)
+{
+	int stage, i, j, k, m, n, t, iw, i_rev;
+	uint16_t q;
+	uint32_t tmp;
+
+	/* we are going to use the transform size n and the modulus q a lot */
+	n = this->p->n;
+	q = this->p->q;
+
+	if (!inverse)
+	{
+		/* apply linear phase needed for negative wrapped convolution */
+		for (i = 0; i < n; i++)
+		{
+			b[i] = (a[i] * this->p->w[i]) % q;
+		}
+	}
+	else if (a != b)
+	{
+		/* copy if input and output array are not the same */
+		for (i = 0; i < n; i++)
+		{
+			b[i] = a[i];
+		}
+	}
+
+	m = n;
+	k = 1;
+
+	for (stage = this->p->stages; stage > 0; stage--)
+	{
+		m >>= 1;
+		t = 0;
+
+		for (j = 0; j < k; j++)
+		{
+			if (stage == 1)
+			{
+				butterfly_last(this, b, t);
+			}
+			else
+			{
+				for (i = 0; i < m; i++)
+				{
+					iw = 2 * (inverse ? (n - i * k) : (i * k));
+					butterfly(this, b, t + i, t + i + m, iw);
+				}				
+			}
+			t += 2*m;
+		}
+		k <<= 1;
+	}
+
+	/* Sort output in bit-reverse order */
+	for (i = 0; i < n; i++)
+	{
+		i_rev = this->p->rev[i];
+
+		if (i_rev > i)
+		{
+			tmp = b[i];
+			b[i] = b[i_rev];
+			b[i_rev] = tmp;
+		}
+	}
+
+	/**
+	 * Compensate the linear phase needed for negative wrapped convolution
+	 * and normalize the output array with 1/n mod q after the inverse FFT. 
+	 */
+	if (inverse)
+	{
+		for (i = 0; i < n; i++)
+		{
+			b[i] = (((b[i] * this->p->w[2*n - i]) % q) * this->p->n_inv) % q;
+		}
+	}
+}
+
+METHOD(bliss_fft_t, destroy, void,
+	private_bliss_fft_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header.
+ */
+bliss_fft_t *bliss_fft_create(bliss_fft_params_t *params)
+{
+	private_bliss_fft_t *this;
+
+	INIT(this,
+		.public = {
+			.get_size = _get_size,
+			.get_modulus = _get_modulus,
+			.transform = _transform,
+			.destroy = _destroy,
+		},
+		.p = params,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft.h b/src/libstrongswan/plugins/bliss/bliss_fft.h
new file mode 100644
index 000000000..a79edd2be
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_fft.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_fft bliss_fft
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_FFT_H_
+#define BLISS_FFT_H_
+
+#include "bliss_fft_params.h"
+
+#include <library.h>
+
+typedef struct bliss_fft_t bliss_fft_t;
+
+/**
+ * Implements a Number Theoretic Transform (NTT) via the FFT algorithm
+ */
+struct bliss_fft_t {
+
+	/**
+	 * Get the size of the Number Theoretic Transform
+	 *
+	 * @result			Transform size
+	 */
+	uint16_t (*get_size)(bliss_fft_t *this);
+
+	/**
+	 * Get the prime modulus of the Number Theoretic Transform
+	 *
+	 * @result			Prime modulus
+	 */
+	uint16_t (*get_modulus)(bliss_fft_t *this);
+
+	/**
+	 * Compute the [inverse] NTT of a polynomial
+	 *
+	 * @param a			Coefficient of input polynomial
+	 * @param b			Coefficient of output polynomial
+	 * @param inverse	TRUE if the inverse NTT has to be computed
+	 */
+	void (*transform)(bliss_fft_t *this, uint32_t *a, uint32_t *b, bool inverse);
+
+	/**
+	 * Destroy bliss_fft_t object
+	 */
+	void (*destroy)(bliss_fft_t *this);
+};
+
+/**
+ * Create a bliss_fft_t object for a given FFT parameter set
+ *
+ * @param params		FFT parameters
+ */
+bliss_fft_t *bliss_fft_create(bliss_fft_params_t *params);
+
+#endif /** BLISS_FFT_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft_params.c b/src/libstrongswan/plugins/bliss/bliss_fft_params.c
new file mode 100644
index 000000000..c892c06e6
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_fft_params.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_fft_params.h"
+
+/**
+ * FFT parameters for q = 12289 and 2n = 1024
+ */
+static uint16_t w_12289_1024[] = {
+	    1,    49,  2401,  7048,  1260,   295,  2166,  7822,  2319,  3030,
+	 1002, 12231,  9447,  8210,  9042,   654,  7468,  9551,  1017,   677,
+	 8595,  3329,  3364,  5079,  3091,  3991, 11224,  9260, 11336,  2459,
+	 9890,  5339,  3542,  1512,   354,  5057,  2013,   325,  3636,  6118,
+	 4846,  3963,  9852,  3477, 10616,  4046,  1630,  6136,  5728, 10314,
+	 1537,  1579,  3637,  6167,  7247, 11011, 11112,  3772,   493, 11868,
+	 3949,  9166,  6730, 10256, 10984,  9789,   390,  6821,  2426,  8273,
+	12129,  4449,  9088,  2908,  7313,  1956,  9821,  1958,  9919,  6760,
+	11726,  9280,    27,  1323,  3382,  5961,  9442,  7965,  9326,  2281,
+	 1168,  8076,  2476, 10723,  9289,   468, 10643,  5369,  5012, 12097,
+
+	 2881,  5990, 10863,  3860,  4805,  1954,  9723,  9445,  8112,  4240,
+	11136,  4948,  8961,  8974,  9611,  3957,  9558,  1360,  5195,  8775,
+	12149,  5429,  7952,  8689,  7935,  7856,  3985, 10930,  7143,  5915,
+	 7188,  8120,  4632,  5766, 12176,  6752, 11334,  2361,  5088,  3532,
+	 1022,   922,  8311,  1702,  9664,  6554,  1632,  6234, 10530, 12121,
+	 4057,  2169,  7969,  9522, 11885,  4782,   827,  3656,  7098,  3710,
+	 9744, 10474,  9377,  4780,   729, 11143,  5291,  1190,  9154,  6142,
+	 6022,   142,  6958,  9139,  5407,  6874,  5023,   347,  4714,  9784,
+	  145,  7105,  4053,  1973, 10654,  5908,  6845,  3602,  4452,  9235,
+	10111,  3879,  5736, 10706,  8456,  8807,  1428,  8527, 12286, 12142,
+
+	 5086,  3434,  8509, 11404,  5791,  1112,  5332,  3199,  9283,   174,
+	 8526, 12237,  9741, 10327,  2174,  8214,  9238, 10258, 11082,  2302,
+	 2197,  9341,  3016,   316,  3195,  9087,  2859,  4912,  7197,  8561,
+	 1663,  7753, 11227,  9407,  6250, 11314,  1381,  6224, 10040,   400,
+     7311,  1858,  5019,   151,  7399,  6170,  7394,  5925,  7678,  7552,
+	 1378,  6077,  2837,  3834,  3531,   973, 10810,  1263,   442,  9369,
+	 4388,  6099,  3915,  7500, 11119,  4115,  5011, 12048,   480, 11231,
+	 9603,  3565,  2639,  6421,  7404,  6415,  7110,  4298,  1689,  9027,
+	12208,  8320,  2143,  6695,  8541,   683,  8889,  5446,  8785,   350,
+	 4861,  4698,  9000, 10885,  4938,  8471,  9542,   576,  3646,  6608,
+
+	 4278,   709, 10163,  6427,  7698,  8532,   242, 11858,  3459,  9734,
+	 9984,  9945,  8034,   418,  8193,  8209,  8993, 10542,   420,  8291,
+	  722, 10800,   773,  1010,   334,  4077,  3149,  6833,  3014,   218,
+	10682,  7280,   339,  4322,  2865,  5206,  9314,  1693,  9223,  9523,
+	11934,  7183,  7875,  4916,  7393,  5876,  5277,   504,   118,  5782,
+	  671,  8301,  1212, 10232,  9808,  1321,  3284,  1159,  7635,  5445,
+	 8736, 10238, 10102,  3438,  8705,  8719,  9405,  6152,  6512, 11863,
+	 3704,  9450,  8357,  3956,  9509, 11248, 10436,  7515, 11854,  3263,
+	  130,  6370,  4905,  6854,  4043,  1483, 11222,  9162,  6534,   652,
+	 7370,  4749, 11499, 10446,  8005, 11286,     9,   441,  9320,  1987,
+
+	11340,  2655,  7205,  8953,  8582,  2692,  9018, 11767, 11289,   156,
+	 7644,  5886,  5767, 12225,  9153,  6093,  3621,  5383,  5698,  8844,
+	 3241, 11341,  2704,  9606,  3712,  9842,  2987, 11184,  7300,  1319,
+	 3186,  8646,  5828,  2925,  8146,  5906,  6747, 11089,  2645,  6715,
+	 9521, 11836,  2381,  6068,  2396,  6803,  1544,  1922,  8155,  6347,
+	 3778,   787,  1696,  9370,  4437,  8500, 10963,  8760, 11414,  6281,
+	  544,  2078,  3510, 12233,  9545,   723, 10849,  3174,  8058,  1594,
+	 4372,  5315,  2366,  5333,  3248, 11684,  7222,  9786,   243, 11907,
+	 5860,  4493, 11244, 10240, 10200,  8240, 10512, 11239,  9995, 10484,
+	 9867,  4212,  9764, 11454,  8241, 10561,  1351,  4754, 11744, 10162,
+
+	 6378,  5297,  1484, 11271, 11563,  1293,  1912,  7665,  6915,  7032,
+	  476, 11035, 12288, 12240,  9888,  5241, 11029, 11994, 10123,  4467,
+	 9970,  9259, 11287,    58,  2842,  4079,  3247, 11635,  4821,  2738,
+	11272, 11612,  3694,  8960,  8925,  7210,  9198,  8298,  1065,  3029,
+	  953,  9830,  2399,  6950,  8747, 10777, 11935,  7232, 10276, 11964,
+	 8653,  6171,  7443,  8326,  2437,  8812,  1673,  8243, 10659,  6153,
+	 6561,  1975, 10752, 10710,  8652,  6122,  5042,  1278,  1177,  8517,
+	11796,   421,  8340,  3123,  5559,  2033,  1305,  2500, 11899,  5468,
+	 9863,  4016,   160,  7840,  3201,  9381,  4976, 10333,  2468, 10331,
+	 2370,  5529,  563,   3009, 12262, 10966,  8907,  6328,  2847,  4324,
+
+	 2963, 10008, 11121,  4213,  9813,  1566,  3000, 11821,  1646,  6920,
+	 7277,   192,  9408,  6299,  1426,  8429,  7484, 10335,  2566,  2844,
+	 4177,  8049,  1153,  7341,  3328,  3315,  2678,  8332,  2731, 10929,
+	 7094,  3514,   140,  6860,  4337,  3600,  4354,  4433,  8304,  1359,
+	 5146,  6374,  5101,  4169,  7657,  6523,   113,  5537,   955,  9928,
+	 7201,  8757, 11267, 11367,  3978, 10587,  2625,  5735, 10657,  6055,
+	 1759,   168,  8232, 10120,  4320,  2767,   404,  7507, 11462,  8633,
+	 5191,  8579,  2545,  1815,  2912,  7509, 11560,  1146,  6998, 11099,
+	 3135,  6147,  6267, 12147,  5331,  3150,  6882,  5415,  7266, 11942,
+	 7575,  2505, 12144,  5184,  8236, 10316,  1635,  6381,  5444,  8687,
+
+	 7837,  3054,  2178,  8410,  6553,  1583,  3833,  3482, 10861,  3762,
+	    3,   147,  7203,  8855,  3780,   885,  6498, 11177,  6957,  9090,
+	 3006, 12115,  3763,    52,  2548,  1962, 10115,  4075,  3051,  2031,
+	 1207,  9987, 10092,  2948,  9273, 11973,  9094,  3202,  9430,  7377,
+	 5092,  3728, 10626,  4536,  1062,  2882,  6039,   975, 10908,  6065,
+	 2249, 11889,  4978, 10431,  7270, 12138,  4890,  6119,  4895,  6364,
+	 4611,  4737, 10911,  6212,  9452,  8455,  8758, 11316,  1479, 11026,
+	11847,  2920,  7901,  6190,  8374,  4789,  1170,  8174,  7278,   241,
+	11809,  1058,  2686,  8724,  9650,  5868,  4885,  5874,  5179,  7991,
+	10600,  3262,    81,  3969, 10146,  5594,  3748, 11606,  3400,  6843,
+
+	 3504, 11939,  7428,  7591,  3289,  1404,  7351,  3818,  2747, 11713,
+	 8643,  5681,  8011, 11580,  2126,  5862,  4591,  3757, 12047,   431,
+	 8830,  2555,  2305,  2344,  4255, 11871,  4096,  4080,  3296,  1747,
+	11869,  3998, 11567,  1489, 11516, 11279, 11955,  8212,  9140,  5456,
+	 9275, 12071,  1607,  5009, 11950,  7967,  9424,  7083,  2975, 10596,
+	 3066,  2766,   355,  5106,  4414,  7373,  4896,  6413,  7012, 11785,
+	12171,  6507, 11618,  3988, 11077,  2057,  2481, 10968,  9005, 11130,
+	 4654,  6844,  3553,  2051,  2187,  8851,  3584,  3570,  2884,  6137,
+	 5777, 	 426,  8585,  2839,  3932,  8333,  2780,  1041,  1853,  4774,
+	  435,  9026, 12159,  5919,  7384,  5435,  8246, 10806,  1067,  3127,
+
+	 5755, 11637,  4919,  7540,   790,  1843,  4284,  1003, 12280, 11848,
+	 2969, 10302,   949,  9634,  5084,  3336,  3707,  9597,  3271,   522,
+	 1000, 12133,  4645,  6403,  6522,    64,  3136,  6196,  8668,  6906,
+	 6591,  3445,  9048,   948,  9585,  2683,  8577,  2447,  9302,  1105,
+	 4989, 10970,  9103,  3643,  6461,  9364,  4143,  6383,  5542,  1200,
+	 9644,  5574,  2768,   453,  9908,  6221,  9893,  5486, 10745, 10367,
+	 4134,  5942,  8511, 11502, 10593,  2919,  7852,  3789,  1326,  3529,
+	  875,  6008, 11745, 10211,  8779,    56,  2744, 11566,  1440,  9115,
+	 4231, 10695,  7917,  6974,  9923,  6956,  9041,   605,  5067,  2503,
+	12046,   382,  6429,  7796,  1045,  2049,  2089,  4049,  1777,  1050,
+
+	 2294,  1805,  2422,  8077,  2525,   835,  4048,  1728, 10938,  7535,
+	  545,  2127,  5911,  6992, 10805,  1018,   726, 10996, 10377,  4624,
+	  5374, 5257, 11813,  1254,     1
+};
+
+/**
+ * Bit-reversed indices for n = 512
+ */
+static uint16_t rev_512[] = {
+	  0, 256, 128, 384,  64, 320, 192, 448,  32, 288, 
+	160, 416,  96, 352, 224, 480,  16, 272, 144, 400,
+	 80, 336, 208, 464,  48, 304, 176, 432, 112, 368,
+	240, 496,   8, 264, 136, 392,  72, 328, 200, 456,
+	 40, 296, 168, 424, 104, 360, 232, 488,  24, 280,
+	152, 408,  88, 344, 216, 472,  56, 312, 184, 440,
+	120, 376, 248, 504,   4, 260, 132, 388,  68, 324,
+	196, 452,  36, 292, 164, 420, 100, 356, 228, 484,
+	 20, 276, 148, 404,  84, 340, 212, 468,  52, 308,
+	180, 436, 116, 372, 244, 500,  12, 268, 140, 396,
+
+	 76, 332, 204, 460,  44, 300, 172, 428, 108, 364,
+	236, 492,  28, 284, 156, 412,  92, 348, 220, 476,
+	 60, 316, 188, 444, 124, 380, 252, 508,   2, 258,
+	130, 386,  66, 322, 194, 450,  34, 290, 162, 418,
+	 98, 354, 226, 482,  18, 274, 146, 402,  82, 338,
+	210, 466,  50, 306, 178, 434, 114, 370, 242, 498,
+	 10, 266, 138, 394,  74, 330, 202, 458,  42, 298,
+	170, 426, 106, 362, 234, 490,  26, 282, 154, 410,
+	 90, 346, 218, 474,  58, 314, 186, 442, 122, 378,
+	250, 506,   6, 262, 134, 390,  70, 326, 198, 454,
+
+	 38, 294, 166, 422, 102, 358, 230, 486,  22, 278,
+	150, 406,  86, 342, 214, 470,  54, 310, 182, 438,
+	118, 374, 246, 502,  14, 270, 142, 398,  78, 334,
+	206, 462,  46, 302, 174, 430, 110, 366, 238, 494,
+	 30, 286, 158, 414,  94, 350, 222, 478,  62, 318,
+	190, 446, 126, 382, 254, 510,   1, 257, 129, 385,
+	 65, 321, 193, 449,  33, 289, 161, 417,  97, 353,
+	225, 481,  17, 273, 145, 401,  81, 337, 209, 465,
+	 49, 305, 177, 433, 113, 369, 241, 497,   9, 265,
+	137, 393,  73, 329, 201, 457,  41, 297, 169, 425,
+
+	105, 361, 233, 489,  25, 281, 153, 409,  89, 345,
+	217, 473,  57, 313, 185, 441, 121, 377, 249, 505,
+	  5, 261, 133, 389,  69, 325, 197, 453,  37, 293,
+	165, 421, 101, 357, 229, 485,  21, 277, 149, 405,
+	 85, 341, 213, 469,  53, 309, 181, 437, 117, 373,
+	245, 501,  13, 269, 141, 397,  77, 333, 205, 461,
+	 45, 301, 173, 429, 109, 365, 237, 493,  29, 285,
+	157, 413,  93, 349, 221, 477,  61, 317, 189, 445,
+	125, 381, 253, 509,   3, 259, 131, 387,  67, 323,
+	195, 451,  35, 291, 163, 419,  99, 355, 227, 483,
+
+	 19, 275, 147, 403,  83, 339, 211, 467,  51, 307,
+	179, 435, 115, 371, 243, 499,  11, 267, 139, 395,
+	 75, 331, 203, 459,  43, 299, 171, 427, 107, 363,
+	235, 491,  27, 283, 155, 411,  91, 347, 219, 475,
+	 59, 315, 187, 443, 123, 379, 251, 507,   7, 263,
+	135, 391,  71, 327, 199, 455,  39, 295, 167, 423,
+	103, 359, 231, 487,  23, 279, 151, 407,  87, 343,
+	215, 471,  55, 311, 183, 439, 119, 375, 247, 503,
+	 15, 271, 143, 399,  79, 335, 207, 463,  47, 303,
+	175, 431, 111, 367, 239, 495,  31, 287, 159, 415,
+
+	 95, 351, 223, 479,  63, 319, 191, 447, 127, 383,
+	255, 511
+};
+
+bliss_fft_params_t bliss_fft_12289_512 = {
+	12289, 512, 12265, 9, w_12289_1024, rev_512
+};
+
+/**
+ * FFT parameters for q = 17 and n = 16
+ */
+static uint16_t w_17_16[] = {
+	1, 3, 9, 10, 13, 5, 15, 11, 16, 14, 8, 7, 4, 12, 2, 6, 1 };
+
+/**
+ * Bit-reversed indices for n = 8
+ */
+static uint16_t rev_8[] = { 0, 4, 2, 6, 1, 5, 3, 7 };
+
+bliss_fft_params_t bliss_fft_17_8 = { 17, 8, 15, 3, w_17_16, rev_8 };
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft_params.h b/src/libstrongswan/plugins/bliss/bliss_fft_params.h
new file mode 100644
index 000000000..31b151b67
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_fft_params.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_fft_params bliss_fft_params
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_FFT_PARAMS_H_
+#define BLISS_FFT_PARAMS_H_
+
+#include <library.h>
+
+typedef struct bliss_fft_params_t bliss_fft_params_t;
+
+/**
+ * Defines the parameters for an NTT computed via the FFT algorithm
+ */
+struct bliss_fft_params_t {
+
+	/**
+	 * Prime modulus
+	 */
+	uint16_t q;
+
+	/**
+	 * Size of the FFT with the condition k * n = q-1
+	 */
+	uint16_t n;
+
+	/**
+	 * Inverse of n mod q used for normalization of the FFT
+	 */
+	uint16_t n_inv;
+
+	/**
+	 * Number of FFT stages  stages = log2(n)
+	 */
+	uint16_t stages;
+
+	/**
+	 * FFT twiddle factors (n-th roots of unity)
+	 */
+	uint16_t *w;
+
+	/**
+	 * FFT bit reversal
+	 */
+	uint16_t *rev;
+
+};
+
+/**
+ * FFT parameters for q = 12289 and n = 512
+ */
+extern bliss_fft_params_t bliss_fft_12289_512;
+
+/**
+ * FFT parameters for q = 17 and n = 8
+ */
+extern bliss_fft_params_t bliss_fft_17_8;
+
+#endif /** BLISS_FFT_PARAMS_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman.c b/src/libstrongswan/plugins/bliss/bliss_huffman.c
new file mode 100644
index 000000000..647234fd8
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman.c
@@ -0,0 +1,433 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+
+#include <stdio.h>
+#include <math.h>
+
+typedef struct tuple_t tuple_t;
+
+struct tuple_t {
+	int8_t z1;
+	int8_t z2;
+	uint16_t index;
+	uint16_t bits;
+	uint32_t code;
+};
+
+typedef struct node_t node_t;
+
+struct node_t {
+	node_t *next;
+	node_t *l;
+	node_t *r;
+	tuple_t *tuple;
+	double p;
+	uint16_t depth;
+	uint16_t index;
+};
+
+static void print_node(node_t *node)
+{
+	if (node->tuple)
+	{
+		fprintf(stderr, "(%1d,%2d)", node->tuple->z1, node->tuple->z2);
+	}
+	else
+	{
+		fprintf(stderr, "      ");
+	}
+	fprintf(stderr, "  %18.16f\n", node->p);
+}
+
+static double code_node(node_t *node, int *index, uint8_t bits, uint32_t code)
+{
+	double code_length = 0;
+
+	node->index = (*index)++;
+
+	if (node->tuple)
+	{
+		node->tuple->code = code;
+		node->tuple->bits = bits;
+		code_length += node->p * bits;
+	}
+	if (node->l)
+	{
+		code_length += code_node(node->l, index, bits + 1, (code << 1));
+	}
+	if (node->r)
+	{
+		code_length += code_node(node->r, index, bits + 1, (code << 1) + 1);
+	}
+
+	return code_length;
+
+}
+
+static void write_node(node_t *node)
+{
+	int16_t node_0, node_1, tuple;
+
+	node_0 = node->l ? node->l->index : BLISS_HUFFMAN_CODE_NO_NODE;
+	node_1 = node->r ? node->r->index : BLISS_HUFFMAN_CODE_NO_NODE;
+	tuple = node->tuple ? node->tuple->index : BLISS_HUFFMAN_CODE_NO_TUPLE;
+
+	printf("\t{ %3d, %3d, %3d },  /* %3d: ", node_0, node_1, tuple, node->index);
+
+	if (node->tuple)
+	{
+		printf("(%d,%2d) %2u bit%s ", node->tuple->z1, node->tuple->z2,
+			   node->tuple->bits, (node->tuple->bits == 1) ? " " : "s");
+	}
+	printf("*/\n");
+
+	if (node->l)
+	{
+		write_node(node->l);
+	}
+	if (node->r)
+	{
+		write_node(node->r);
+	}
+}
+
+static void write_header(void)
+{
+	printf("/*\n");
+	printf(" * Copyright (C) 2014 Andreas Steffen\n");
+	printf(" * HSR Hochschule fuer Technik Rapperswil\n");
+	printf(" *\n");
+	printf(" * Optimum Huffman code for BLISS-X signatures\n");
+	printf(" *\n");
+	printf(" * This file has been automatically generated by the"
+		   " bliss_huffman utility\n");
+	printf(" * Do not edit manually!\n");
+	printf(" */\n\n");
+};
+
+static void write_code_tables(int bliss_type, int n_z1, int n_z2, node_t *nodes,
+							  tuple_t **tuples)
+{
+	int index, i, k;
+	uint32_t bit;
+	double code_length;
+
+	printf("#include \"bliss_huffman_code.h\"\n\n");
+
+	printf("static bliss_huffman_code_node_t nodes[] = {\n");
+	index = 0;
+	code_length = code_node(nodes, &index, 0, 0);
+	write_node(nodes);
+	printf("};\n\n");
+
+	printf("static bliss_huffman_code_tuple_t tuples[] = {\n");
+	index = 0;
+	for (i = 0; i < n_z1; i++)
+	{
+		if (i > 0)
+		{
+			printf("\n");
+		}
+		for (k = 1 - n_z2; k < n_z2; k++)
+		{
+			printf("\t{ %5u, %2u },  /* %3d: (%1d,%2d) ",
+						tuples[index]->code, tuples[index]->bits, index, i, k);
+			bit = 1 << (tuples[index]->bits - 1);
+			while (bit)
+			{
+				printf("%s", (tuples[index]->code & bit) ? "1" : "0");
+				bit >>= 1;
+			}
+			printf(" */\n");
+			index++;
+		}
+	}
+	printf("};\n\n");
+	printf("/* code_length = %6.4f bits/tuple (%d bits) */\n\n",
+			   code_length, (int)(512 * code_length + 1));
+
+	printf("bliss_huffman_code_t bliss_huffman_code_%d = {\n", bliss_type);
+	printf("\t.n_z1 = %d,\n", n_z1);
+	printf("\t.n_z2 = %d,\n", n_z2);
+	printf("\t.tuples = tuples,\n");
+	printf("\t.nodes  = nodes\n");
+	printf("};\n");
+}
+
+static void destroy_node(node_t *node)
+{
+	if (node->l)
+	{
+		destroy_node(node->l);
+	}
+	if (node->r)
+	{
+		destroy_node(node->r);
+	}
+	free(node->tuple);
+	free(node);
+}
+
+static void remove_node(node_t *list, node_t **last, node_t *node)
+{
+	node_t *current, *prev;
+
+	for (current = list->next, prev = list; current;
+		 prev = current, current = current->next)
+	{
+		if (current == node)
+		{
+			prev->next = current->next;
+			if (*last == current)
+			{
+				*last = prev->next ?: prev;
+			}
+			break;
+		}
+	}
+}
+
+/**
+ * Generate a Huffman code for the optimum encoding of BLISS signatures
+ */
+int main(int argc, char *argv[])
+{
+	bliss_param_set_t *set;
+	int dx, bliss_type, depth = 1, groups, groups_left, pairs = 1;
+	int i_max = 9, k_max = 8, index_max = (2*k_max - 1) * i_max;
+	int i, i_top, k, k_top;
+	uint16_t index;
+	double p, p_z1[i_max], p_z2[k_max], x_z1[i_max], x_z2[k_max];
+	double t, x, x0, p_sum, entropy = 0, erf_i, erf_k, erf_0 = 0;
+	tuple_t *tuple, *tuples[index_max];
+	node_t *node, *node_l, *node_r, *nodes = NULL;
+	node_t *node_list, *node_last;
+
+	if (argc < 2)
+	{
+		fprintf(stderr, "usage: bliss_huffman <bliss type> [<pairs>]\n");
+		exit(1);
+	}
+	if (argc > 2)
+	{
+		pairs = atoi(argv[2]);
+	}
+	fprintf(stderr, "%d code pairs with constant length\n\n", pairs);
+	groups_left = groups = pairs >> 1;
+
+	bliss_type = atoi(argv[1]);
+	set = bliss_param_set_get_by_id(bliss_type);
+	if (!set)
+	{
+		fprintf(stderr, "bliss type %d unsupported\n", bliss_type);
+		exit(1);
+	}
+	write_header();
+	printf("/*\n");
+	printf(" * Design: sigma = %u\n", set->sigma);
+	printf(" *\n");
+
+	t = 1/(sqrt(2) * set->sigma);
+
+	/* Probability distribution for z1 */
+	i_top = (set->B_inf + 255) / 256;
+	p_sum = 0;
+	x = 0;
+
+	for (i = 0; i < i_top; i++)
+	{
+		x = min(x + 256, set->B_inf);
+		erf_i = erf(t*x);
+		p_z1[i] = erf_i - erf_0;
+		p_sum += p_z1[i];
+		erf_0 = erf_i;
+		x_z1[i] = x;
+	}
+
+	/* Normalize and print the probability distribution for z1 */
+	printf(" *   i  p_z1[i]\n");
+	x0 = 0;
+
+	for (i = 0; i < i_top; i++)
+	{
+		p_z1[i] /= p_sum;
+		printf(" *  %2d  %18.16f      %4.0f .. %4.0f\n", i, p_z1[i], x0, x_z1[i]);
+		x0 = x_z1[i];
+	}
+	printf(" *\n");
+
+	/* Probability distribution for z2 */
+	dx = 1 << set->d;
+	k_top = 1 + set->B_inf / dx;
+	x = (dx >> 1) - 0.5;
+	p_sum = 0;
+
+	for (k = 0; k < k_top; k++)
+	{
+
+		erf_k = erf(t*x) / 2;
+		p_z2[k] = (k == 0) ? 2*erf_k : erf_k - erf_0;
+		p_sum +=  (k == 0) ? p_z2[k] : 2*p_z2[k];
+		erf_0 = erf_k;
+		x_z2[k] = x;
+		x += dx;
+	}
+
+	/* Normalize the probability distribution for z2 */
+	for (k = 0; k < k_top; k++)
+	{
+		p_z2[k] /= p_sum;
+	}
+
+	/* Print the probability distribution for z2 */
+	printf(" *   k  p_z2[k]  dx = %d\n", dx);
+
+	for (k = 1 - k_top; k < k_top; k++)
+	{
+
+		printf(" *  %2d  %18.16f  ",k, p_z2[abs(k)]);
+		if (k < 0)
+		{
+			printf(" %7.1f ..%7.1f\n", -x_z2[-k], -x_z2[-k-1]);
+		}
+		else if (k == 0)
+		{
+			printf(" %7.1f ..%7.1f\n", -x_z2[k], x_z2[k]);
+		}
+		else
+		{
+			printf(" %7.1f ..%7.1f\n", x_z2[k-1], x_z2[k]);
+		}
+	}
+	printf(" *\n");
+
+	/* Compute probabilities of tuples (z1, z2) */
+	INIT(node_list);
+	node_last = node_list;
+	printf(" *  (i, k)  p\n");
+	p_sum =0;
+	index = 0;
+
+	for (i = 0; i < i_top; i++)
+	{
+		for (k = 1 - k_top; k < k_top; k++)
+		{
+			p = p_z1[i] * p_z2[abs(k)];
+			printf(" *  (%1d,%2d)  %18.16f\n", i, k, p);
+			p_sum += p;
+			entropy += -log(p) * p;
+
+			INIT(tuple,
+				.z1 = i,
+				.z2 = k,
+				.index = index,
+			);
+			tuples[index++] = tuple;
+
+			INIT(node,
+				.p = p,
+				.tuple = tuple,
+			);
+			node_last->next = node;
+			node_last = node;
+		}
+		printf(" *\n");
+	}
+	entropy /= log(2);
+	printf(" *  p_sum   %18.16f\n", p_sum);
+	printf(" *\n");
+	printf(" * entropy = %6.4f bits/tuple (%d bits)\n",
+			   entropy, (int)(512 * entropy));
+	printf(" */\n\n");
+
+	/* Build Huffman tree */
+	while (node_list->next != node_last)
+	{
+		node_r = node_l = NULL;
+
+		for (node = node_list->next; node; node = node->next)
+		{
+			if (pairs > 0)
+			{
+				if (!node->tuple)
+				{
+					continue;
+				}
+			}
+			else if (groups_left > 0)
+			{
+				if (node->tuple || node->depth != depth)
+				{
+					continue;
+				}
+			}
+			if (node_r == NULL || node->p < node_r->p)
+			{
+				node_l = node_r;
+				node_r = node;
+			}
+			else if (node_l == NULL || node->p < node_l->p)
+			{
+				node_l = node;
+			}
+		}
+
+		INIT(node,
+			.l = node_l,
+			.r = node_r,
+			.p = node_l->p + node_r->p,
+			.depth = 1 + max(node_l->depth, node_r->depth),
+			.tuple = NULL,
+		);
+		print_node(node_r);
+		print_node(node_l);
+		fprintf(stderr, "        %18.16f", node->p);
+
+		remove_node(node_list, &node_last, node_l);
+		remove_node(node_list, &node_last, node_r);
+		node_last->next = node;
+		node_last = node;
+
+		if (pairs > 0)
+		{
+			pairs--;
+		}
+		else if (groups > 0)
+		{
+			if (--groups_left == 0)
+			{
+				groups >>= 1;
+				groups_left = groups;
+				depth++;
+			}
+		}
+		fprintf(stderr, "\n\n");
+	}
+
+
+	nodes = node_list->next;
+
+	write_code_tables(bliss_type, i_top, k_top, nodes, tuples);
+
+	destroy_node(nodes);
+	destroy_node(node_list);
+	exit(0);
+}
+
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code.c
new file mode 100644
index 000000000..e31cd9d3c
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_huffman_code.h"
+
+extern bliss_huffman_code_t bliss_huffman_code_1;
+extern bliss_huffman_code_t bliss_huffman_code_3;
+extern bliss_huffman_code_t bliss_huffman_code_4;
+
+/**
+ * See header.
+ */
+bliss_huffman_code_t* bliss_huffman_code_get_by_id(bliss_param_set_id_t id)
+{
+	switch (id)
+	{
+		case BLISS_I:
+		case BLISS_B_I:
+			return &bliss_huffman_code_1;
+		case BLISS_III:
+		case BLISS_B_III:
+			return &bliss_huffman_code_3;
+		case BLISS_IV:
+		case BLISS_B_IV:
+			return &bliss_huffman_code_4;
+		default:
+			return NULL;
+	}
+}
+
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code.h b/src/libstrongswan/plugins/bliss/bliss_huffman_code.h
new file mode 100644
index 000000000..df8511b2e
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_huffman_code bliss_huffman_code
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_HUFFMAN_CODE_H_
+#define BLISS_HUFFMAN_CODE_H_
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+
+typedef struct bliss_huffman_code_t bliss_huffman_code_t;
+typedef struct bliss_huffman_code_tuple_t bliss_huffman_code_tuple_t;
+typedef struct bliss_huffman_code_node_t bliss_huffman_code_node_t;
+
+struct bliss_huffman_code_tuple_t {
+	uint32_t code;
+	uint16_t bits;
+};
+
+#define BLISS_HUFFMAN_CODE_NO_TUPLE		-1
+#define BLISS_HUFFMAN_CODE_NO_NODE		-1
+
+struct bliss_huffman_code_node_t {
+	int16_t node_0;
+	int16_t node_1;
+	int16_t tuple;
+};
+
+/**
+ * Defines the Huffman code for the optimum encoding of a BLISS signature
+ */
+struct bliss_huffman_code_t {
+
+	/**
+	 * Range of z1:  0..n_z1-1
+	 */
+	uint16_t n_z1;
+
+	/**
+	 * Range of z2:  -n_z2..n_z2
+	 */
+	uint16_t n_z2;
+
+	/**
+	 * Table of tuple codewords
+	 */
+	bliss_huffman_code_tuple_t *tuples;
+
+	/**
+	 * Table of binary decision nodes
+	 */
+	bliss_huffman_code_node_t *nodes;
+};
+
+/**
+ * Get Optimum Huffman code for BLISS signature given by BLISS parameter set ID
+ *
+ * @param id	BLISS parameter set ID
+ * @return		Optimum Huffman code for BLISS signature
+*/
+bliss_huffman_code_t* bliss_huffman_code_get_by_id(bliss_param_set_id_t id);
+
+#endif /** BLISS_HUFFMAN_CODE_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c
new file mode 100644
index 000000000..1bf433fd1
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Optimum Huffman code for BLISS-X signatures
+ *
+ * This file has been automatically generated by the bliss_huffman utility
+ * Do not edit manually!
+ */
+
+/*
+ * Design: sigma = 215
+ *
+ *   i  p_z1[i]
+ *   0  0.7662277087816564         0 ..  256
+ *   1  0.2165251006508514       256 ..  512
+ *   2  0.0168930510015114       512 ..  768
+ *   3  0.0003522302274478       768 .. 1024
+ *   4  0.0000019067136680      1024 .. 1280
+ *   5  0.0000000026239598      1280 .. 1536
+ *   6  0.0000000000009052      1536 .. 1792
+ *   7  0.0000000000000001      1792 .. 2047
+ *
+ *   k  p_z2[k]  dx = 1024
+ *  -1  0.0086781953089156   -1535.5 .. -511.5
+ *   0  0.9826436093821688    -511.5 ..  511.5
+ *   1  0.0086781953089156     511.5 .. 1535.5
+ *
+ *  (i, k)  p
+ *  (0,-1)  0.0066494737079101
+ *  (0, 0)  0.7529287613658361
+ *  (0, 1)  0.0066494737079101
+ *
+ *  (1,-1)  0.0018790471127307
+ *  (1, 0)  0.2127670064253900
+ *  (1, 1)  0.0018790471127307
+ *
+ *  (2,-1)  0.0001466011959546
+ *  (2, 0)  0.0165998486096022
+ *  (2, 1)  0.0001466011959546
+ *
+ *  (3,-1)  0.0000030567227075
+ *  (3, 0)  0.0003461167820328
+ *  (3, 1)  0.0000030567227075
+ *
+ *  (4,-1)  0.0000000165468336
+ *  (4, 0)  0.0000018736200007
+ *  (4, 1)  0.0000000165468336
+ *
+ *  (5,-1)  0.0000000000227712
+ *  (5, 0)  0.0000000025784174
+ *  (5, 1)  0.0000000000227712
+ *
+ *  (6,-1)  0.0000000000000079
+ *  (6, 0)  0.0000000000008895
+ *  (6, 1)  0.0000000000000079
+ *
+ *  (7,-1)  0.0000000000000000
+ *  (7, 0)  0.0000000000000001
+ *  (7, 1)  0.0000000000000000
+ *
+ *  p_sum   0.9999999999999998
+ *
+ * entropy = 1.0195 bits/tuple (521 bits)
+ */
+
+#include "bliss_huffman_code.h"
+
+static bliss_huffman_code_node_t nodes[] = {
+	{   1,   2,  -1 },  /*   0: */
+	{  -1,  -1,   1 },  /*   1: (0, 0)  1 bit  */
+	{   3,   4,  -1 },  /*   2: */
+	{  -1,  -1,   4 },  /*   3: (1, 0)  2 bits */
+	{   5,  46,  -1 },  /*   4: */
+	{   6,  45,  -1 },  /*   5: */
+	{   7,   8,  -1 },  /*   6: */
+	{  -1,  -1,   0 },  /*   7: (0,-1)  5 bits */
+	{   9,  44,  -1 },  /*   8: */
+	{  10,  11,  -1 },  /*   9: */
+	{  -1,  -1,   3 },  /*  10: (1,-1)  7 bits */
+	{  12,  13,  -1 },  /*  11: */
+	{  -1,  -1,  10 },  /*  12: (3, 0)  8 bits */
+	{  14,  29,  -1 },  /*  13: */
+	{  15,  22,  -1 },  /*  14: */
+	{  16,  19,  -1 },  /*  15: */
+	{  17,  18,  -1 },  /*  16: */
+	{  -1,  -1,   8 },  /*  17: (2, 1) 12 bits */
+	{  -1,  -1,   6 },  /*  18: (2,-1) 12 bits */
+	{  20,  21,  -1 },  /*  19: */
+	{  -1,  -1,  11 },  /*  20: (3, 1) 12 bits */
+	{  -1,  -1,   9 },  /*  21: (3,-1) 12 bits */
+	{  23,  26,  -1 },  /*  22: */
+	{  24,  25,  -1 },  /*  23: */
+	{  -1,  -1,  13 },  /*  24: (4, 0) 12 bits */
+	{  -1,  -1,  14 },  /*  25: (4, 1) 12 bits */
+	{  27,  28,  -1 },  /*  26: */
+	{  -1,  -1,  12 },  /*  27: (4,-1) 12 bits */
+	{  -1,  -1,  16 },  /*  28: (5, 0) 12 bits */
+	{  30,  37,  -1 },  /*  29: */
+	{  31,  34,  -1 },  /*  30: */
+	{  32,  33,  -1 },  /*  31: */
+	{  -1,  -1,  17 },  /*  32: (5, 1) 12 bits */
+	{  -1,  -1,  15 },  /*  33: (5,-1) 12 bits */
+	{  35,  36,  -1 },  /*  34: */
+	{  -1,  -1,  19 },  /*  35: (6, 0) 12 bits */
+	{  -1,  -1,  20 },  /*  36: (6, 1) 12 bits */
+	{  38,  41,  -1 },  /*  37: */
+	{  39,  40,  -1 },  /*  38: */
+	{  -1,  -1,  18 },  /*  39: (6,-1) 12 bits */
+	{  -1,  -1,  22 },  /*  40: (7, 0) 12 bits */
+	{  42,  43,  -1 },  /*  41: */
+	{  -1,  -1,  23 },  /*  42: (7, 1) 12 bits */
+	{  -1,  -1,  21 },  /*  43: (7,-1) 12 bits */
+	{  -1,  -1,   5 },  /*  44: (1, 1)  6 bits */
+	{  -1,  -1,   2 },  /*  45: (0, 1)  4 bits */
+	{  -1,  -1,   7 },  /*  46: (2, 0)  3 bits */
+};
+
+static bliss_huffman_code_tuple_t tuples[] = {
+	{    24,  5 },  /*   0: (0,-1) 11000 */
+	{     0,  1 },  /*   1: (0, 0) 0 */
+	{    13,  4 },  /*   2: (0, 1) 1101 */
+
+	{   100,  7 },  /*   3: (1,-1) 1100100 */
+	{     2,  2 },  /*   4: (1, 0) 10 */
+	{    51,  6 },  /*   5: (1, 1) 110011 */
+
+	{  3249, 12 },  /*   6: (2,-1) 110010110001 */
+	{     7,  3 },  /*   7: (2, 0) 111 */
+	{  3248, 12 },  /*   8: (2, 1) 110010110000 */
+
+	{  3251, 12 },  /*   9: (3,-1) 110010110011 */
+	{   202,  8 },  /*  10: (3, 0) 11001010 */
+	{  3250, 12 },  /*  11: (3, 1) 110010110010 */
+
+	{  3254, 12 },  /*  12: (4,-1) 110010110110 */
+	{  3252, 12 },  /*  13: (4, 0) 110010110100 */
+	{  3253, 12 },  /*  14: (4, 1) 110010110101 */
+
+	{  3257, 12 },  /*  15: (5,-1) 110010111001 */
+	{  3255, 12 },  /*  16: (5, 0) 110010110111 */
+	{  3256, 12 },  /*  17: (5, 1) 110010111000 */
+
+	{  3260, 12 },  /*  18: (6,-1) 110010111100 */
+	{  3258, 12 },  /*  19: (6, 0) 110010111010 */
+	{  3259, 12 },  /*  20: (6, 1) 110010111011 */
+
+	{  3263, 12 },  /*  21: (7,-1) 110010111111 */
+	{  3261, 12 },  /*  22: (7, 0) 110010111101 */
+	{  3262, 12 },  /*  23: (7, 1) 110010111110 */
+};
+
+/* code_length = 1.3189 bits/tuple (676 bits) */
+
+bliss_huffman_code_t bliss_huffman_code_1 = {
+	.n_z1 = 8,
+	.n_z2 = 2,
+	.tuples = tuples,
+	.nodes  = nodes
+};
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c
new file mode 100644
index 000000000..37a8084d4
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Optimum Huffman code for BLISS-X signatures
+ *
+ * This file has been automatically generated by the bliss_huffman utility
+ * Do not edit manually!
+ */
+
+/*
+ * Design: sigma = 250
+ *
+ *   i  p_z1[i]
+ *   0  0.6941647250930416         0 ..  256
+ *   1  0.2652752755116807       256 ..  512
+ *   2  0.0384337021454129       512 ..  768
+ *   3  0.0020842622589255       768 .. 1024
+ *   4  0.0000417294572050      1024 .. 1280
+ *   5  0.0000003047309681      1280 .. 1536
+ *   6  0.0000000008027661      1536 .. 1760
+ *
+ *   k  p_z2[k]  dx = 512
+ *  -3  0.0000001543959154   -1791.5 ..-1279.5
+ *  -2  0.0010701394583782   -1279.5 .. -767.5
+ *  -1  0.1523201563502276    -767.5 .. -255.5
+ *   0  0.6932190995909575    -255.5 ..  255.5
+ *   1  0.1523201563502276     255.5 ..  767.5
+ *   2  0.0010701394583782     767.5 .. 1279.5
+ *   3  0.0000001543959154    1279.5 .. 1791.5
+ *
+ *  (i, k)  p
+ *  (0,-3)  0.0000001071761982
+ *  (0,-2)  0.0007428530629363
+ *  (0,-1)  0.1057352794589848
+ *  (0, 0)  0.4812082456968029
+ *  (0, 1)  0.1057352794589848
+ *  (0, 2)  0.0007428530629363
+ *  (0, 3)  0.0000001071761982
+ *
+ *  (1,-3)  0.0000000409574190
+ *  (1,-2)  0.0002838815396572
+ *  (1,-1)  0.0404067714417889
+ *  (1, 0)  0.1838938876339505
+ *  (1, 1)  0.0404067714417889
+ *  (1, 2)  0.0002838815396572
+ *  (1, 3)  0.0000000409574190
+ *
+ *  (2,-3)  0.0000000059340066
+ *  (2,-2)  0.0000411294211974
+ *  (2,-1)  0.0058542275199074
+ *  (2, 0)  0.0266429763951902
+ *  (2, 1)  0.0058542275199074
+ *  (2, 2)  0.0000411294211974
+ *  (2, 3)  0.0000000059340066
+ *
+ *  (3,-3)  0.0000000003218016
+ *  (3,-2)  0.0000022304512849
+ *  (3,-1)  0.0003174751531544
+ *  (3, 0)  0.0014448504064437
+ *  (3, 1)  0.0003174751531544
+ *  (3, 2)  0.0000022304512849
+ *  (3, 3)  0.0000000003218016
+ *
+ *  (4,-3)  0.0000000000064429
+ *  (4,-2)  0.0000000446563387
+ *  (4,-1)  0.0000063562374459
+ *  (4, 0)  0.0000289276567501
+ *  (4, 1)  0.0000063562374459
+ *  (4, 2)  0.0000000446563387
+ *  (4, 3)  0.0000000000064429
+ *
+ *  (5,-3)  0.0000000000000470
+ *  (5,-2)  0.0000000003261046
+ *  (5,-1)  0.0000000464166687
+ *  (5, 0)  0.0000002112453273
+ *  (5, 1)  0.0000000464166687
+ *  (5, 2)  0.0000000003261046
+ *  (5, 3)  0.0000000000000470
+ *
+ *  (6,-3)  0.0000000000000001
+ *  (6,-2)  0.0000000000008591
+ *  (6,-1)  0.0000000001222775
+ *  (6, 0)  0.0000000005564928
+ *  (6, 1)  0.0000000001222775
+ *  (6, 2)  0.0000000000008591
+ *  (6, 3)  0.0000000000000001
+ *
+ *  p_sum   0.9999999999999999
+ *
+ * entropy = 2.2879 bits/tuple (1171 bits)
+ */
+
+#include "bliss_huffman_code.h"
+
+static bliss_huffman_code_node_t nodes[] = {
+	{   1,  96,  -1 },  /*   0: */
+	{   2,  93,  -1 },  /*   1: */
+	{   3,   4,  -1 },  /*   2: */
+	{  -1,  -1,  10 },  /*   3: (1, 0)  3 bits */
+	{   5,   8,  -1 },  /*   4: */
+	{   6,   7,  -1 },  /*   5: */
+	{  -1,  -1,  11 },  /*   6: (1, 1)  5 bits */
+	{  -1,  -1,   9 },  /*   7: (1,-1)  5 bits */
+	{   9,  10,  -1 },  /*   8: */
+	{  -1,  -1,  17 },  /*   9: (2, 0)  5 bits */
+	{  11,  92,  -1 },  /*  10: */
+	{  12,  13,  -1 },  /*  11: */
+	{  -1,  -1,  16 },  /*  12: (2,-1)  7 bits */
+	{  14,  89,  -1 },  /*  13: */
+	{  15,  16,  -1 },  /*  14: */
+	{  -1,  -1,  24 },  /*  15: (3, 0)  9 bits */
+	{  17,  86,  -1 },  /*  16: */
+	{  18,  85,  -1 },  /*  17: */
+	{  19,  20,  -1 },  /*  18: */
+	{  -1,  -1,   8 },  /*  19: (1,-2) 12 bits */
+	{  21,  84,  -1 },  /*  20: */
+	{  22,  53,  -1 },  /*  21: */
+	{  23,  38,  -1 },  /*  22: */
+	{  24,  31,  -1 },  /*  23: */
+	{  25,  28,  -1 },  /*  24: */
+	{  26,  27,  -1 },  /*  25: */
+	{  -1,  -1,  15 },  /*  26: (2,-2) 18 bits */
+	{  -1,  -1,  31 },  /*  27: (4, 0) 18 bits */
+	{  29,  30,  -1 },  /*  28: */
+	{  -1,  -1,  32 },  /*  29: (4, 1) 18 bits */
+	{  -1,  -1,  30 },  /*  30: (4,-1) 18 bits */
+	{  32,  35,  -1 },  /*  31: */
+	{  33,  34,  -1 },  /*  32: */
+	{  -1,  -1,  26 },  /*  33: (3, 2) 18 bits */
+	{  -1,  -1,  22 },  /*  34: (3,-2) 18 bits */
+	{  36,  37,  -1 },  /*  35: */
+	{  -1,  -1,  38 },  /*  36: (5, 0) 18 bits */
+	{  -1,  -1,   6 },  /*  37: (0, 3) 18 bits */
+	{  39,  46,  -1 },  /*  38: */
+	{  40,  43,  -1 },  /*  39: */
+	{  41,  42,  -1 },  /*  40: */
+	{  -1,  -1,   0 },  /*  41: (0,-3) 18 bits */
+	{  -1,  -1,  39 },  /*  42: (5, 1) 18 bits */
+	{  44,  45,  -1 },  /*  43: */
+	{  -1,  -1,  37 },  /*  44: (5,-1) 18 bits */
+	{  -1,  -1,  33 },  /*  45: (4, 2) 18 bits */
+	{  47,  50,  -1 },  /*  46: */
+	{  48,  49,  -1 },  /*  47: */
+	{  -1,  -1,  29 },  /*  48: (4,-2) 18 bits */
+	{  -1,  -1,  13 },  /*  49: (1, 3) 18 bits */
+	{  51,  52,  -1 },  /*  50: */
+	{  -1,  -1,   7 },  /*  51: (1,-3) 18 bits */
+	{  -1,  -1,  20 },  /*  52: (2, 3) 18 bits */
+	{  54,  69,  -1 },  /*  53: */
+	{  55,  62,  -1 },  /*  54: */
+	{  56,  59,  -1 },  /*  55: */
+	{  57,  58,  -1 },  /*  56: */
+	{  -1,  -1,  14 },  /*  57: (2,-3) 18 bits */
+	{  -1,  -1,  45 },  /*  58: (6, 0) 18 bits */
+	{  60,  61,  -1 },  /*  59: */
+	{  -1,  -1,  40 },  /*  60: (5, 2) 18 bits */
+	{  -1,  -1,  36 },  /*  61: (5,-2) 18 bits */
+	{  63,  66,  -1 },  /*  62: */
+	{  64,  65,  -1 },  /*  63: */
+	{  -1,  -1,  27 },  /*  64: (3, 3) 18 bits */
+	{  -1,  -1,  21 },  /*  65: (3,-3) 18 bits */
+	{  67,  68,  -1 },  /*  66: */
+	{  -1,  -1,  46 },  /*  67: (6, 1) 18 bits */
+	{  -1,  -1,  44 },  /*  68: (6,-1) 18 bits */
+	{  70,  77,  -1 },  /*  69: */
+	{  71,  74,  -1 },  /*  70: */
+	{  72,  73,  -1 },  /*  71: */
+	{  -1,  -1,  34 },  /*  72: (4, 3) 18 bits */
+	{  -1,  -1,  28 },  /*  73: (4,-3) 18 bits */
+	{  75,  76,  -1 },  /*  74: */
+	{  -1,  -1,  47 },  /*  75: (6, 2) 18 bits */
+	{  -1,  -1,  43 },  /*  76: (6,-2) 18 bits */
+	{  78,  81,  -1 },  /*  77: */
+	{  79,  80,  -1 },  /*  78: */
+	{  -1,  -1,  41 },  /*  79: (5, 3) 18 bits */
+	{  -1,  -1,  35 },  /*  80: (5,-3) 18 bits */
+	{  82,  83,  -1 },  /*  81: */
+	{  -1,  -1,  48 },  /*  82: (6, 3) 18 bits */
+	{  -1,  -1,  42 },  /*  83: (6,-3) 18 bits */
+	{  -1,  -1,  19 },  /*  84: (2, 2) 13 bits */
+	{  -1,  -1,  25 },  /*  85: (3, 1) 11 bits */
+	{  87,  88,  -1 },  /*  86: */
+	{  -1,  -1,  23 },  /*  87: (3,-1) 11 bits */
+	{  -1,  -1,  12 },  /*  88: (1, 2) 11 bits */
+	{  90,  91,  -1 },  /*  89: */
+	{  -1,  -1,   5 },  /*  90: (0, 2)  9 bits */
+	{  -1,  -1,   1 },  /*  91: (0,-2)  9 bits */
+	{  -1,  -1,  18 },  /*  92: (2, 1)  6 bits */
+	{  94,  95,  -1 },  /*  93: */
+	{  -1,  -1,   4 },  /*  94: (0, 1)  3 bits */
+	{  -1,  -1,   2 },  /*  95: (0,-1)  3 bits */
+	{  -1,  -1,   3 },  /*  96: (0, 0)  1 bit  */
+};
+
+static bliss_huffman_code_tuple_t tuples[] = {
+	{ 59976, 18 },  /*   0: (0,-3) 001110101001001000 */
+	{   119,  9 },  /*   1: (0,-2) 001110111 */
+	{     3,  3 },  /*   2: (0,-1) 011 */
+	{     1,  1 },  /*   3: (0, 0) 1 */
+	{     2,  3 },  /*   4: (0, 1) 010 */
+	{   118,  9 },  /*   5: (0, 2) 001110110 */
+	{ 59975, 18 },  /*   6: (0, 3) 001110101001000111 */
+
+	{ 59982, 18 },  /*   7: (1,-3) 001110101001001110 */
+	{   936, 12 },  /*   8: (1,-2) 001110101000 */
+	{     5,  5 },  /*   9: (1,-1) 00101 */
+	{     0,  3 },  /*  10: (1, 0) 000 */
+	{     4,  5 },  /*  11: (1, 1) 00100 */
+	{   471, 11 },  /*  12: (1, 2) 00111010111 */
+	{ 59981, 18 },  /*  13: (1, 3) 001110101001001101 */
+
+	{ 59984, 18 },  /*  14: (2,-3) 001110101001010000 */
+	{ 59968, 18 },  /*  15: (2,-2) 001110101001000000 */
+	{    28,  7 },  /*  16: (2,-1) 0011100 */
+	{     6,  5 },  /*  17: (2, 0) 00110 */
+	{    15,  6 },  /*  18: (2, 1) 001111 */
+	{  1875, 13 },  /*  19: (2, 2) 0011101010011 */
+	{ 59983, 18 },  /*  20: (2, 3) 001110101001001111 */
+
+	{ 59989, 18 },  /*  21: (3,-3) 001110101001010101 */
+	{ 59973, 18 },  /*  22: (3,-2) 001110101001000101 */
+	{   470, 11 },  /*  23: (3,-1) 00111010110 */
+	{   116,  9 },  /*  24: (3, 0) 001110100 */
+	{   469, 11 },  /*  25: (3, 1) 00111010101 */
+	{ 59972, 18 },  /*  26: (3, 2) 001110101001000100 */
+	{ 59988, 18 },  /*  27: (3, 3) 001110101001010100 */
+
+	{ 59993, 18 },  /*  28: (4,-3) 001110101001011001 */
+	{ 59980, 18 },  /*  29: (4,-2) 001110101001001100 */
+	{ 59971, 18 },  /*  30: (4,-1) 001110101001000011 */
+	{ 59969, 18 },  /*  31: (4, 0) 001110101001000001 */
+	{ 59970, 18 },  /*  32: (4, 1) 001110101001000010 */
+	{ 59979, 18 },  /*  33: (4, 2) 001110101001001011 */
+	{ 59992, 18 },  /*  34: (4, 3) 001110101001011000 */
+
+	{ 59997, 18 },  /*  35: (5,-3) 001110101001011101 */
+	{ 59987, 18 },  /*  36: (5,-2) 001110101001010011 */
+	{ 59978, 18 },  /*  37: (5,-1) 001110101001001010 */
+	{ 59974, 18 },  /*  38: (5, 0) 001110101001000110 */
+	{ 59977, 18 },  /*  39: (5, 1) 001110101001001001 */
+	{ 59986, 18 },  /*  40: (5, 2) 001110101001010010 */
+	{ 59996, 18 },  /*  41: (5, 3) 001110101001011100 */
+
+	{ 59999, 18 },  /*  42: (6,-3) 001110101001011111 */
+	{ 59995, 18 },  /*  43: (6,-2) 001110101001011011 */
+	{ 59991, 18 },  /*  44: (6,-1) 001110101001010111 */
+	{ 59985, 18 },  /*  45: (6, 0) 001110101001010001 */
+	{ 59990, 18 },  /*  46: (6, 1) 001110101001010110 */
+	{ 59994, 18 },  /*  47: (6, 2) 001110101001011010 */
+	{ 59998, 18 },  /*  48: (6, 3) 001110101001011110 */
+};
+
+/* code_length = 2.3227 bits/tuple (1190 bits) */
+
+bliss_huffman_code_t bliss_huffman_code_3 = {
+	.n_z1 = 7,
+	.n_z2 = 4,
+	.tuples = tuples,
+	.nodes  = nodes
+};
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c
new file mode 100644
index 000000000..c4f709c93
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c
@@ -0,0 +1,435 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Optimum Huffman code for BLISS-X signatures
+ *
+ * This file has been automatically generated by the bliss_huffman utility
+ * Do not edit manually!
+ */
+
+/*
+ * Design: sigma = 271
+ *
+ *   i  p_z1[i]
+ *   0  0.6551621276225426         0 ..  256
+ *   1  0.2859860850630749       256 ..  512
+ *   2  0.0542541135599810       512 ..  768
+ *   3  0.0044399624814222       768 .. 1024
+ *   4  0.0001553928373912      1024 .. 1280
+ *   5  0.0000023066278552      1280 .. 1536
+ *   6  0.0000000118077330      1536 .. 1613
+ *
+ *   k  p_z2[k]  dx = 256
+ *  -6  0.0000001026458579   -1663.5 ..-1407.5
+ *  -5  0.0000106295703648   -1407.5 ..-1151.5
+ *  -4  0.0004651193817805   -1151.5 .. -895.5
+ *  -3  0.0086670703658387    -895.5 .. -639.5
+ *  -2  0.0693723939195647    -639.5 .. -383.5
+ *  -1  0.2404908493690626    -383.5 .. -127.5
+ *   0  0.3619876694950614    -127.5 ..  127.5
+ *   1  0.2404908493690626     127.5 ..  383.5
+ *   2  0.0693723939195647     383.5 ..  639.5
+ *   3  0.0086670703658387     639.5 ..  895.5
+ *   4  0.0004651193817805     895.5 .. 1151.5
+ *   5  0.0000106295703648    1151.5 .. 1407.5
+ *   6  0.0000001026458579    1407.5 .. 1663.5
+ *
+ *  (i, k)  p
+ *  (0,-6)  0.0000000672496787
+ *  (0,-5)  0.0000069640919359
+ *  (0,-4)  0.0003047286037658
+ *  (0,-3)  0.0056783362611372
+ *  (0,-2)  0.0454501651986111
+ *  (0,-1)  0.1575604965463875
+ *  (0, 0)  0.2371606117195102
+ *  (0, 1)  0.1575604965463875
+ *  (0, 2)  0.0454501651986111
+ *  (0, 3)  0.0056783362611372
+ *  (0, 4)  0.0003047286037658
+ *  (0, 5)  0.0000069640919359
+ *  (0, 6)  0.0000000672496787
+ *
+ *  (1,-6)  0.0000000293552870
+ *  (1,-5)  0.0000030399092145
+ *  (1,-4)  0.0001330176710824
+ *  (1,-3)  0.0024786615228924
+ *  (1,-2)  0.0198395393485098
+ *  (1,-1)  0.0687770365045519
+ *  (1, 0)  0.1035234364399989
+ *  (1, 1)  0.0687770365045519
+ *  (1, 2)  0.0198395393485098
+ *  (1, 3)  0.0024786615228924
+ *  (1, 4)  0.0001330176710824
+ *  (1, 5)  0.0000030399092145
+ *  (1, 6)  0.0000000293552870
+ *
+ *  (2,-6)  0.0000000055689600
+ *  (2,-5)  0.0000005766979177
+ *  (2,-4)  0.0000252346397581
+ *  (2,-3)  0.0004702242198606
+ *  (2,-2)  0.0037637377376398
+ *  (2,-1)  0.0130476178518054
+ *  (2, 0)  0.0196393201280979
+ *  (2, 1)  0.0130476178518054
+ *  (2, 2)  0.0037637377376398
+ *  (2, 3)  0.0004702242198606
+ *  (2, 4)  0.0000252346397581
+ *  (2, 5)  0.0000005766979177
+ *  (2, 6)  0.0000000055689600
+ *
+ *  (3,-6)  0.0000000004557438
+ *  (3,-5)  0.0000000471948936
+ *  (3,-4)  0.0000020651126045
+ *  (3,-3)  0.0000384814672482
+ *  (3,-2)  0.0003080108262493
+ *  (3,-1)  0.0010677703483240
+ *  (3, 0)  0.0016072116712955
+ *  (3, 1)  0.0010677703483240
+ *  (3, 2)  0.0003080108262493
+ *  (3, 3)  0.0000384814672482
+ *  (3, 4)  0.0000020651126045
+ *  (3, 5)  0.0000000471948936
+ *  (3, 6)  0.0000000004557438
+ *
+ *  (4,-6)  0.0000000000159504
+ *  (4,-5)  0.0000000016517591
+ *  (4,-4)  0.0000000722762205
+ *  (4,-3)  0.0000013468006560
+ *  (4,-2)  0.0000107799731278
+ *  (4,-1)  0.0000373705554501
+ *  (4, 0)  0.0000562502910635
+ *  (4, 1)  0.0000373705554501
+ *  (4, 2)  0.0000107799731278
+ *  (4, 3)  0.0000013468006560
+ *  (4, 4)  0.0000000722762205
+ *  (4, 5)  0.0000000016517591
+ *  (4, 6)  0.0000000000159504
+ *
+ *  (5,-6)  0.0000000000002368
+ *  (5,-5)  0.0000000000245185
+ *  (5,-4)  0.0000000010728573
+ *  (5,-3)  0.0000000199917059
+ *  (5,-2)  0.0000001600162962
+ *  (5,-1)  0.0000005547228921
+ *  (5, 0)  0.0000008349708417
+ *  (5, 1)  0.0000005547228921
+ *  (5, 2)  0.0000001600162962
+ *  (5, 3)  0.0000000199917059
+ *  (5, 4)  0.0000000010728573
+ *  (5, 5)  0.0000000000245185
+ *  (5, 6)  0.0000000000002368
+ *
+ *  (6,-6)  0.0000000000000012
+ *  (6,-5)  0.0000000000001255
+ *  (6,-4)  0.0000000000054920
+ *  (6,-3)  0.0000000001023385
+ *  (6,-2)  0.0000000008191307
+ *  (6,-1)  0.0000000028396517
+ *  (6, 0)  0.0000000042742538
+ *  (6, 1)  0.0000000028396517
+ *  (6, 2)  0.0000000008191307
+ *  (6, 3)  0.0000000001023385
+ *  (6, 4)  0.0000000000054920
+ *  (6, 5)  0.0000000000001255
+ *  (6, 6)  0.0000000000000012
+ *
+ *  p_sum   1.0000000000000011
+ *
+ * entropy = 3.3640 bits/tuple (1722 bits)
+ */
+
+#include "bliss_huffman_code.h"
+
+static bliss_huffman_code_node_t nodes[] = {
+	{   1, 160,  -1 },  /*   0: */
+	{   2,   5,  -1 },  /*   1: */
+	{   3,   4,  -1 },  /*   2: */
+	{  -1,  -1,   7 },  /*   3: (0, 1)  3 bits */
+	{  -1,  -1,   5 },  /*   4: (0,-1)  3 bits */
+	{   6, 157,  -1 },  /*   5: */
+	{   7, 156,  -1 },  /*   6: */
+	{   8,  11,  -1 },  /*   7: */
+	{   9,  10,  -1 },  /*   8: */
+	{  -1,  -1,  17 },  /*   9: (1,-2)  6 bits */
+	{  -1,  -1,  32 },  /*  10: (2, 0)  6 bits */
+	{  12, 155,  -1 },  /*  11: */
+	{  13,  18,  -1 },  /*  12: */
+	{  14,  15,  -1 },  /*  13: */
+	{  -1,  -1,   3 },  /*  14: (0,-3)  8 bits */
+	{  16,  17,  -1 },  /*  15: */
+	{  -1,  -1,  22 },  /*  16: (1, 3)  9 bits */
+	{  -1,  -1,  16 },  /*  17: (1,-3)  9 bits */
+	{  19, 154,  -1 },  /*  18: */
+	{  20,  23,  -1 },  /*  19: */
+	{  21,  22,  -1 },  /*  20: */
+	{  -1,  -1,  46 },  /*  21: (3, 1) 10 bits */
+	{  -1,  -1,  44 },  /*  22: (3,-1) 10 bits */
+	{  24, 151,  -1 },  /*  23: */
+	{  25,  88,  -1 },  /*  24: */
+	{  26,  57,  -1 },  /*  25: */
+	{  27,  42,  -1 },  /*  26: */
+	{  28,  35,  -1 },  /*  27: */
+	{  29,  32,  -1 },  /*  28: */
+	{  30,  31,  -1 },  /*  29: */
+	{  -1,  -1,   2 },  /*  30: (0,-4) 16 bits */
+	{  -1,  -1,  23 },  /*  31: (1, 4) 16 bits */
+	{  33,  34,  -1 },  /*  32: */
+	{  -1,  -1,  15 },  /*  33: (1,-4) 16 bits */
+	{  -1,  -1,  58 },  /*  34: (4, 0) 16 bits */
+	{  36,  39,  -1 },  /*  35: */
+	{  37,  38,  -1 },  /*  36: */
+	{  -1,  -1,  48 },  /*  37: (3, 3) 16 bits */
+	{  -1,  -1,  42 },  /*  38: (3,-3) 16 bits */
+	{  40,  41,  -1 },  /*  39: */
+	{  -1,  -1,  59 },  /*  40: (4, 1) 16 bits */
+	{  -1,  -1,  57 },  /*  41: (4,-1) 16 bits */
+	{  43,  50,  -1 },  /*  42: */
+	{  44,  47,  -1 },  /*  43: */
+	{  45,  46,  -1 },  /*  44: */
+	{  -1,  -1,  36 },  /*  45: (2, 4) 16 bits */
+	{  -1,  -1,  28 },  /*  46: (2,-4) 16 bits */
+	{  48,  49,  -1 },  /*  47: */
+	{  -1,  -1,  60 },  /*  48: (4, 2) 16 bits */
+	{  -1,  -1,  56 },  /*  49: (4,-2) 16 bits */
+	{  51,  54,  -1 },  /*  50: */
+	{  52,  53,  -1 },  /*  51: */
+	{  -1,  -1,  11 },  /*  52: (0, 5) 16 bits */
+	{  -1,  -1,   1 },  /*  53: (0,-5) 16 bits */
+	{  55,  56,  -1 },  /*  54: */
+	{  -1,  -1,  24 },  /*  55: (1, 5) 16 bits */
+	{  -1,  -1,  14 },  /*  56: (1,-5) 16 bits */
+	{  58,  73,  -1 },  /*  57: */
+	{  59,  66,  -1 },  /*  58: */
+	{  60,  63,  -1 },  /*  59: */
+	{  61,  62,  -1 },  /*  60: */
+	{  -1,  -1,  49 },  /*  61: (3, 4) 16 bits */
+	{  -1,  -1,  41 },  /*  62: (3,-4) 16 bits */
+	{  64,  65,  -1 },  /*  63: */
+	{  -1,  -1,  61 },  /*  64: (4, 3) 16 bits */
+	{  -1,  -1,  55 },  /*  65: (4,-3) 16 bits */
+	{  67,  70,  -1 },  /*  66: */
+	{  68,  69,  -1 },  /*  67: */
+	{  -1,  -1,  71 },  /*  68: (5, 0) 16 bits */
+	{  -1,  -1,  37 },  /*  69: (2, 5) 16 bits */
+	{  71,  72,  -1 },  /*  70: */
+	{  -1,  -1,  27 },  /*  71: (2,-5) 16 bits */
+	{  -1,  -1,  72 },  /*  72: (5, 1) 16 bits */
+	{  74,  81,  -1 },  /*  73: */
+	{  75,  78,  -1 },  /*  74: */
+	{  76,  77,  -1 },  /*  75: */
+	{  -1,  -1,  70 },  /*  76: (5,-1) 16 bits */
+	{  -1,  -1,  73 },  /*  77: (5, 2) 16 bits */
+	{  79,  80,  -1 },  /*  78: */
+	{  -1,  -1,  69 },  /*  79: (5,-2) 16 bits */
+	{  -1,  -1,  62 },  /*  80: (4, 4) 16 bits */
+	{  82,  85,  -1 },  /*  81: */
+	{  83,  84,  -1 },  /*  82: */
+	{  -1,  -1,  54 },  /*  83: (4,-4) 16 bits */
+	{  -1,  -1,  12 },  /*  84: (0, 6) 16 bits */
+	{  86,  87,  -1 },  /*  85: */
+	{  -1,  -1,   0 },  /*  86: (0,-6) 16 bits */
+	{  -1,  -1,  50 },  /*  87: (3, 5) 16 bits */
+	{  89, 120,  -1 },  /*  88: */
+	{  90, 105,  -1 },  /*  89: */
+	{  91,  98,  -1 },  /*  90: */
+	{  92,  95,  -1 },  /*  91: */
+	{  93,  94,  -1 },  /*  92: */
+	{  -1,  -1,  40 },  /*  93: (3,-5) 16 bits */
+	{  -1,  -1,  25 },  /*  94: (1, 6) 16 bits */
+	{  96,  97,  -1 },  /*  95: */
+	{  -1,  -1,  13 },  /*  96: (1,-6) 16 bits */
+	{  -1,  -1,  74 },  /*  97: (5, 3) 16 bits */
+	{  99, 102,  -1 },  /*  98: */
+	{ 100, 101,  -1 },  /*  99: */
+	{  -1,  -1,  68 },  /* 100: (5,-3) 16 bits */
+	{  -1,  -1,  38 },  /* 101: (2, 6) 16 bits */
+	{ 103, 104,  -1 },  /* 102: */
+	{  -1,  -1,  26 },  /* 103: (2,-6) 16 bits */
+	{  -1,  -1,  84 },  /* 104: (6, 0) 16 bits */
+	{ 106, 113,  -1 },  /* 105: */
+	{ 107, 110,  -1 },  /* 106: */
+	{ 108, 109,  -1 },  /* 107: */
+	{  -1,  -1,  85 },  /* 108: (6, 1) 16 bits */
+	{  -1,  -1,  83 },  /* 109: (6,-1) 16 bits */
+	{ 111, 112,  -1 },  /* 110: */
+	{  -1,  -1,  63 },  /* 111: (4, 5) 16 bits */
+	{  -1,  -1,  53 },  /* 112: (4,-5) 16 bits */
+	{ 114, 117,  -1 },  /* 113: */
+	{ 115, 116,  -1 },  /* 114: */
+	{  -1,  -1,  75 },  /* 115: (5, 4) 16 bits */
+	{  -1,  -1,  67 },  /* 116: (5,-4) 16 bits */
+	{ 118, 119,  -1 },  /* 117: */
+	{  -1,  -1,  86 },  /* 118: (6, 2) 16 bits */
+	{  -1,  -1,  82 },  /* 119: (6,-2) 16 bits */
+	{ 121, 136,  -1 },  /* 120: */
+	{ 122, 129,  -1 },  /* 121: */
+	{ 123, 126,  -1 },  /* 122: */
+	{ 124, 125,  -1 },  /* 123: */
+	{  -1,  -1,  51 },  /* 124: (3, 6) 16 bits */
+	{  -1,  -1,  39 },  /* 125: (3,-6) 16 bits */
+	{ 127, 128,  -1 },  /* 126: */
+	{  -1,  -1,  87 },  /* 127: (6, 3) 16 bits */
+	{  -1,  -1,  81 },  /* 128: (6,-3) 16 bits */
+	{ 130, 133,  -1 },  /* 129: */
+	{ 131, 132,  -1 },  /* 130: */
+	{  -1,  -1,  76 },  /* 131: (5, 5) 16 bits */
+	{  -1,  -1,  66 },  /* 132: (5,-5) 16 bits */
+	{ 134, 135,  -1 },  /* 133: */
+	{  -1,  -1,  64 },  /* 134: (4, 6) 16 bits */
+	{  -1,  -1,  52 },  /* 135: (4,-6) 16 bits */
+	{ 137, 144,  -1 },  /* 136: */
+	{ 138, 141,  -1 },  /* 137: */
+	{ 139, 140,  -1 },  /* 138: */
+	{  -1,  -1,  88 },  /* 139: (6, 4) 16 bits */
+	{  -1,  -1,  80 },  /* 140: (6,-4) 16 bits */
+	{ 142, 143,  -1 },  /* 141: */
+	{  -1,  -1,  77 },  /* 142: (5, 6) 16 bits */
+	{  -1,  -1,  65 },  /* 143: (5,-6) 16 bits */
+	{ 145, 148,  -1 },  /* 144: */
+	{ 146, 147,  -1 },  /* 145: */
+	{  -1,  -1,  89 },  /* 146: (6, 5) 16 bits */
+	{  -1,  -1,  79 },  /* 147: (6,-5) 16 bits */
+	{ 149, 150,  -1 },  /* 148: */
+	{  -1,  -1,  90 },  /* 149: (6, 6) 16 bits */
+	{  -1,  -1,  78 },  /* 150: (6,-6) 16 bits */
+	{ 152, 153,  -1 },  /* 151: */
+	{  -1,  -1,  29 },  /* 152: (2,-3) 11 bits */
+	{  -1,  -1,  47 },  /* 153: (3, 2) 11 bits */
+	{  -1,  -1,  34 },  /* 154: (2, 2)  8 bits */
+	{  -1,  -1,  33 },  /* 155: (2, 1)  6 bits */
+	{  -1,  -1,  20 },  /* 156: (1, 1)  4 bits */
+	{ 158, 159,  -1 },  /* 157: */
+	{  -1,  -1,  18 },  /* 158: (1,-1)  4 bits */
+	{  -1,  -1,   8 },  /* 159: (0, 2)  4 bits */
+	{ 161, 162,  -1 },  /* 160: */
+	{  -1,  -1,   6 },  /* 161: (0, 0)  2 bits */
+	{ 163, 164,  -1 },  /* 162: */
+	{  -1,  -1,  19 },  /* 163: (1, 0)  3 bits */
+	{ 165, 166,  -1 },  /* 164: */
+	{  -1,  -1,   4 },  /* 165: (0,-2)  4 bits */
+	{ 167, 180,  -1 },  /* 166: */
+	{ 168, 169,  -1 },  /* 167: */
+	{  -1,  -1,  31 },  /* 168: (2,-1)  6 bits */
+	{ 170, 179,  -1 },  /* 169: */
+	{ 171, 172,  -1 },  /* 170: */
+	{  -1,  -1,  30 },  /* 171: (2,-2)  8 bits */
+	{ 173, 174,  -1 },  /* 172: */
+	{  -1,  -1,  45 },  /* 173: (3, 0)  9 bits */
+	{ 175, 178,  -1 },  /* 174: */
+	{ 176, 177,  -1 },  /* 175: */
+	{  -1,  -1,  43 },  /* 176: (3,-2) 11 bits */
+	{  -1,  -1,  10 },  /* 177: (0, 4) 11 bits */
+	{  -1,  -1,  35 },  /* 178: (2, 3) 10 bits */
+	{  -1,  -1,   9 },  /* 179: (0, 3)  7 bits */
+	{  -1,  -1,  21 },  /* 180: (1, 2)  5 bits */
+};
+
+static bliss_huffman_code_tuple_t tuples[] = {
+	{ 19102, 16 },  /*   0: (0,-6) 0100101010011110 */
+	{ 19085, 16 },  /*   1: (0,-5) 0100101010001101 */
+	{ 19072, 16 },  /*   2: (0,-4) 0100101010000000 */
+	{    72,  8 },  /*   3: (0,-3) 01001000 */
+	{    14,  4 },  /*   4: (0,-2) 1110 */
+	{     1,  3 },  /*   5: (0,-1) 001 */
+	{     2,  2 },  /*   6: (0, 0) 10 */
+	{     0,  3 },  /*   7: (0, 1) 000 */
+	{     7,  4 },  /*   8: (0, 2) 0111 */
+	{   123,  7 },  /*   9: (0, 3) 1111011 */
+	{  1965, 11 },  /*  10: (0, 4) 11110101101 */
+	{ 19084, 16 },  /*  11: (0, 5) 0100101010001100 */
+	{ 19101, 16 },  /*  12: (0, 6) 0100101010011101 */
+
+	{ 19106, 16 },  /*  13: (1,-6) 0100101010100010 */
+	{ 19087, 16 },  /*  14: (1,-5) 0100101010001111 */
+	{ 19074, 16 },  /*  15: (1,-4) 0100101010000010 */
+	{   147,  9 },  /*  16: (1,-3) 010010011 */
+	{    16,  6 },  /*  17: (1,-2) 010000 */
+	{     6,  4 },  /*  18: (1,-1) 0110 */
+	{     6,  3 },  /*  19: (1, 0) 110 */
+	{     5,  4 },  /*  20: (1, 1) 0101 */
+	{    31,  5 },  /*  21: (1, 2) 11111 */
+	{   146,  9 },  /*  22: (1, 3) 010010010 */
+	{ 19073, 16 },  /*  23: (1, 4) 0100101010000001 */
+	{ 19086, 16 },  /*  24: (1, 5) 0100101010001110 */
+	{ 19105, 16 },  /*  25: (1, 6) 0100101010100001 */
+
+	{ 19110, 16 },  /*  26: (2,-6) 0100101010100110 */
+	{ 19094, 16 },  /*  27: (2,-5) 0100101010010110 */
+	{ 19081, 16 },  /*  28: (2,-4) 0100101010001001 */
+	{   598, 11 },  /*  29: (2,-3) 01001010110 */
+	{   244,  8 },  /*  30: (2,-2) 11110100 */
+	{    60,  6 },  /*  31: (2,-1) 111100 */
+	{    17,  6 },  /*  32: (2, 0) 010001 */
+	{    19,  6 },  /*  33: (2, 1) 010011 */
+	{    75,  8 },  /*  34: (2, 2) 01001011 */
+	{   983, 10 },  /*  35: (2, 3) 1111010111 */
+	{ 19080, 16 },  /*  36: (2, 4) 0100101010001000 */
+	{ 19093, 16 },  /*  37: (2, 5) 0100101010010101 */
+	{ 19109, 16 },  /*  38: (2, 6) 0100101010100101 */
+
+	{ 19121, 16 },  /*  39: (3,-6) 0100101010110001 */
+	{ 19104, 16 },  /*  40: (3,-5) 0100101010100000 */
+	{ 19089, 16 },  /*  41: (3,-4) 0100101010010001 */
+	{ 19077, 16 },  /*  42: (3,-3) 0100101010000101 */
+	{  1964, 11 },  /*  43: (3,-2) 11110101100 */
+	{   297, 10 },  /*  44: (3,-1) 0100101001 */
+	{   490,  9 },  /*  45: (3, 0) 111101010 */
+	{   296, 10 },  /*  46: (3, 1) 0100101000 */
+	{   599, 11 },  /*  47: (3, 2) 01001010111 */
+	{ 19076, 16 },  /*  48: (3, 3) 0100101010000100 */
+	{ 19088, 16 },  /*  49: (3, 4) 0100101010010000 */
+	{ 19103, 16 },  /*  50: (3, 5) 0100101010011111 */
+	{ 19120, 16 },  /*  51: (3, 6) 0100101010110000 */
+
+	{ 19127, 16 },  /*  52: (4,-6) 0100101010110111 */
+	{ 19115, 16 },  /*  53: (4,-5) 0100101010101011 */
+	{ 19100, 16 },  /*  54: (4,-4) 0100101010011100 */
+	{ 19091, 16 },  /*  55: (4,-3) 0100101010010011 */
+	{ 19083, 16 },  /*  56: (4,-2) 0100101010001011 */
+	{ 19079, 16 },  /*  57: (4,-1) 0100101010000111 */
+	{ 19075, 16 },  /*  58: (4, 0) 0100101010000011 */
+	{ 19078, 16 },  /*  59: (4, 1) 0100101010000110 */
+	{ 19082, 16 },  /*  60: (4, 2) 0100101010001010 */
+	{ 19090, 16 },  /*  61: (4, 3) 0100101010010010 */
+	{ 19099, 16 },  /*  62: (4, 4) 0100101010011011 */
+	{ 19114, 16 },  /*  63: (4, 5) 0100101010101010 */
+	{ 19126, 16 },  /*  64: (4, 6) 0100101010110110 */
+
+	{ 19131, 16 },  /*  65: (5,-6) 0100101010111011 */
+	{ 19125, 16 },  /*  66: (5,-5) 0100101010110101 */
+	{ 19117, 16 },  /*  67: (5,-4) 0100101010101101 */
+	{ 19108, 16 },  /*  68: (5,-3) 0100101010100100 */
+	{ 19098, 16 },  /*  69: (5,-2) 0100101010011010 */
+	{ 19096, 16 },  /*  70: (5,-1) 0100101010011000 */
+	{ 19092, 16 },  /*  71: (5, 0) 0100101010010100 */
+	{ 19095, 16 },  /*  72: (5, 1) 0100101010010111 */
+	{ 19097, 16 },  /*  73: (5, 2) 0100101010011001 */
+	{ 19107, 16 },  /*  74: (5, 3) 0100101010100011 */
+	{ 19116, 16 },  /*  75: (5, 4) 0100101010101100 */
+	{ 19124, 16 },  /*  76: (5, 5) 0100101010110100 */
+	{ 19130, 16 },  /*  77: (5, 6) 0100101010111010 */
+
+	{ 19135, 16 },  /*  78: (6,-6) 0100101010111111 */
+	{ 19133, 16 },  /*  79: (6,-5) 0100101010111101 */
+	{ 19129, 16 },  /*  80: (6,-4) 0100101010111001 */
+	{ 19123, 16 },  /*  81: (6,-3) 0100101010110011 */
+	{ 19119, 16 },  /*  82: (6,-2) 0100101010101111 */
+	{ 19113, 16 },  /*  83: (6,-1) 0100101010101001 */
+	{ 19111, 16 },  /*  84: (6, 0) 0100101010100111 */
+	{ 19112, 16 },  /*  85: (6, 1) 0100101010101000 */
+	{ 19118, 16 },  /*  86: (6, 2) 0100101010101110 */
+	{ 19122, 16 },  /*  87: (6, 3) 0100101010110010 */
+	{ 19128, 16 },  /*  88: (6, 4) 0100101010111000 */
+	{ 19132, 16 },  /*  89: (6, 5) 0100101010111100 */
+	{ 19134, 16 },  /*  90: (6, 6) 0100101010111110 */
+};
+
+/* code_length = 3.3967 bits/tuple (1740 bits) */
+
+bliss_huffman_code_t bliss_huffman_code_4 = {
+	.n_z1 = 7,
+	.n_z2 = 7,
+	.tuples = tuples,
+	.nodes  = nodes
+};
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c
new file mode 100644
index 000000000..018ae0efa
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY;https://www.hsr.ch/HSR-intern-Anmeldung.4409.0.html?&no_cache=1 without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_huffman_coder.h"
+
+typedef struct private_bliss_huffman_coder_t private_bliss_huffman_coder_t;
+
+/**
+ * Private data structure for bliss_huffman_coder_t object
+ */
+struct private_bliss_huffman_coder_t {
+	/**
+	 * Public interface.
+	 */
+	bliss_huffman_coder_t public;
+
+	/**
+	 * Bitpacker to write to or read from
+	 */
+	bliss_bitpacker_t *packer;
+
+	/**
+	 * Huffman code table to be used
+	 */
+	bliss_huffman_code_t *code;
+
+	/**
+     * Maximum index into tuples table
+	 */
+	int index_max;
+
+	/**
+     * Number of encoded or decoded bits
+	 */
+	size_t bits;
+
+};
+
+METHOD(bliss_huffman_coder_t, get_bits, size_t,
+	private_bliss_huffman_coder_t *this)
+{
+	return this->bits;
+}
+
+METHOD(bliss_huffman_coder_t, encode, bool,
+	private_bliss_huffman_coder_t *this, int32_t z1, int16_t z2)
+{
+	uint32_t code;
+	uint16_t bits;
+	int index;
+
+	index = z1 * (2*this->code->n_z2 - 1) + z2 + this->code->n_z2 - 1;
+	if (index >= this->index_max)
+	{
+		DBG1(DBG_LIB, "index exceeded in Huffman encoding table");
+		return FALSE;
+	}
+	code = this->code->tuples[index].code;
+	bits = this->code->tuples[index].bits;
+	if (!this->packer->write_bits(this->packer, code, bits))
+	{
+		DBG1(DBG_LIB, "bitpacker exceeded its buffer");
+		return FALSE;
+	}
+	this->bits += bits;
+
+	return TRUE;
+}
+
+METHOD(bliss_huffman_coder_t, decode, bool,
+	private_bliss_huffman_coder_t *this, int32_t *z1, int16_t *z2)
+{
+	bliss_huffman_code_node_t *node;
+	uint32_t bit;
+
+	node = this->code->nodes;
+	while (node->tuple == BLISS_HUFFMAN_CODE_NO_TUPLE)
+	{
+		if (node->node_0 == BLISS_HUFFMAN_CODE_NO_NODE ||
+			node->node_1 == BLISS_HUFFMAN_CODE_NO_NODE)
+		{
+			DBG1(DBG_LIB, "error in Huffman decoding table");
+			return FALSE;
+		}
+		if (!this->packer->read_bits(this->packer, &bit, 1))
+		{
+			DBG1(DBG_LIB, "bitpacker depleted its buffer");
+			return FALSE;
+		}
+		node = &this->code->nodes[bit ? node->node_1 : node->node_0];
+		this->bits++;
+	}
+	*z1 = node->tuple / (2*this->code->n_z2 - 1);
+	*z2 = node->tuple - (2*this->code->n_z2 - 1) * (*z1) - this->code->n_z2 + 1;
+
+	return TRUE;
+}
+
+METHOD(bliss_huffman_coder_t, destroy, void,
+	private_bliss_huffman_coder_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header.
+ */
+bliss_huffman_coder_t *bliss_huffman_coder_create(bliss_huffman_code_t *code,
+												  bliss_bitpacker_t *packer)
+{
+	private_bliss_huffman_coder_t *this;
+
+	INIT(this,
+		.public = {
+			.get_bits = _get_bits,
+			.encode = _encode,
+			.decode = _decode,
+			.destroy = _destroy,
+		},
+		.packer = packer,
+		.code = code,
+		.index_max = (2*code->n_z2 - 1) * code->n_z1,		
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h
new file mode 100644
index 000000000..59abc49c6
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_huffman_coder bliss_huffman_coder
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_HUFFMAN_CODER_H_
+#define BLISS_HUFFMAN_CODER_H_
+
+#include "bliss_huffman_code.h"
+#include "bliss_bitpacker.h"
+
+#include <library.h>
+
+typedef struct bliss_huffman_coder_t bliss_huffman_coder_t;
+
+/**
+ * Encodes and decodes binary Huffman codes
+ */
+struct bliss_huffman_coder_t {
+
+	/**
+	 * Get number of encoded or decoded bits
+	 *
+	 * @result			Number of bits
+	 */
+	size_t (*get_bits)(bliss_huffman_coder_t *this);
+
+	/**
+	 * Encode a (z1, z2) tuple using a Huffman code
+	 *
+	 * @param z1		z1 value to be encoded
+	 * @param z2		z2 value to be encoded
+	 * @result			TRUE if value could be encoded
+	 */
+	bool (*encode)(bliss_huffman_coder_t *this, int32_t z1, int16_t z2);
+
+
+	/**
+	 * Decode a (z1, z2) tuple using a Huffman code
+	 *
+	 * @param z1		Decoded z1 value returned
+	 * @param z2		Decoded z2 value returned
+	 * @result			TRUE if value could be decoded from bitpacker
+	 */
+	bool (*decode)(bliss_huffman_coder_t *this, int32_t *z1, int16_t *z2);
+
+	/**
+	 * Destroy bliss_huffman_coder_t object
+	 */
+	void (*destroy)(bliss_huffman_coder_t *this);
+};
+
+/**
+ * Create a bliss_huffman_coder_t object
+ *
+ * @param code			Huffman code table
+ * @param packer		Bitpacker to write to or read from
+ */
+bliss_huffman_coder_t* bliss_huffman_coder_create(bliss_huffman_code_t *code,
+												  bliss_bitpacker_t *packer);
+
+#endif /** BLISS_HUFFMAN_CODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_param_set.c b/src/libstrongswan/plugins/bliss/bliss_param_set.c
new file mode 100644
index 000000000..3781a588f
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_param_set.c
@@ -0,0 +1,339 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_param_set.h"
+
+#include <asn1/oid.h>
+
+ENUM(bliss_param_set_id_names, BLISS_I, BLISS_B_IV,
+	"BLISS-I",
+	"BLISS-II",
+	"BLISS-III",
+	"BLISS-IV",
+	"BLISS-B-I",
+	"BLISS-B-II",
+	"BLISS-B-III",
+	"BLISS-B-IV"
+);
+
+/**
+ * sigma = 215, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 254
+ *
+ * c[i] = exp(-2^i/f), i = 0..20, with f = k_sigma^2 / ln 2 = 93'076.9
+ */
+static uint8_t c_bliss_i[] = {
+	255, 255,  75, 191, 247,  94,  30,  51, 147, 246,  89,  59,  99, 248,  26, 128,
+	255, 254, 151, 128, 109, 166,  88, 143,  30, 175, 149,  20, 240,  81, 138, 111,
+	255, 253,  47,   2, 214, 243, 188,  76, 236, 235,  40,  62,  54,  35,  33, 205,
+	255, 250,  94,  13, 156, 120, 121, 216, 255, 120,  90,  11,  39, 232, 120, 111,
+	255, 244, 188,  58, 242, 219, 157, 174,   6,  31, 131,  75,  88, 109, 112, 107,
+	255, 233, 120, 244, 202, 151,  25,  10, 197, 109, 113, 255, 157,  89, 182, 141,
+	255, 210, 243, 229,  18,  88,  50, 239, 130, 192,  12, 167,  62, 254, 211, 202,
+	255, 165, 239, 183, 102, 186, 123, 249, 251,  59, 116, 143,  50, 174, 125, 198,
+	255,  75, 255,  30,  65, 137, 228, 148,  14,  17, 113, 251,  81, 177, 151, 168,
+	254, 152, 124, 205, 192, 136, 102,  79,   5,  62, 214,  95,  36, 223,   7,  20,
+	253,  50, 242, 124, 187,  59,  68, 224,  90, 156,  53, 202,   9,  44, 191, 226,
+	250, 109, 189, 110,  40, 124,  88,  12,  83,  78, 176,  86,  12, 102,  13,  41,
+	244, 250, 133,   6,   3,  13,  45,   9, 120, 121, 150, 237,  69, 190,  62,  16,
+	234, 110, 130, 187, 138, 174,  82, 229, 217, 154,  88, 138, 228, 153, 230,  13,
+	214, 174,  54, 179, 117, 116, 223, 152,  97,  84,  31,  99,  68, 150, 122, 244,
+	180,   7, 186,   2, 112,   3,  68,  13, 123, 133, 244, 184, 232, 216, 133,  18,
+	126, 154, 221, 207,  32, 206,  66, 171,  94, 100, 164, 194, 117, 191,   1, 209,
+	 62, 156, 208,   7, 129, 173, 200,   3,  23, 248, 140,  60,  69, 217, 195, 235,
+	 15,  80,  84, 209, 213,   2, 107, 160,   1, 152,  43, 130,  93,  95, 241, 218,
+	  0, 234, 131,  37, 182,  53, 201, 231,  26,   2, 151, 161,  13, 214, 150, 145,
+	  0,   0, 214, 212,   4,  32, 184,  94,  84,  90, 244, 139,  48,  69,  33,  38
+};
+
+/**
+ * sigma = 250, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 295
+ *
+ * c[i] = exp(-2^i/f), i = 0..20, with f = k_sigma^2 / ln 2 = 125'550.5
+ */
+static uint8_t c_bliss_iii[] = {
+	255, 255, 122,  95,  16, 128,  14, 195,  60,  90, 166, 191, 205,  26, 144, 204,
+	255, 254, 244, 190, 102, 192, 187, 141, 169,  92,  33,  30, 170, 141, 184,  56,
+	255, 253, 233, 125, 228, 131,  93, 148, 121,  92,  52, 122, 149,  96,  29,  66,
+	255, 251, 211,   0,  37,   9, 199, 244, 213, 217, 122, 205, 171, 200, 198,   5,
+	255, 247, 166,  17, 185, 251,  90, 150,   1,  28,   7, 205, 125,  46,  84, 201,
+	255, 239,  76, 105,  50, 114, 159, 235, 215, 165, 204, 182, 125, 143, 228, 222,
+	255, 222, 153, 233,  85, 187,  45, 204, 236, 229,  38, 180,  20, 161,   7, 167,
+	255, 189,  56,  46,  38,   4,  83,   8, 151, 137, 136,   1,   9, 180,  58, 204,
+	255, 122, 129, 199, 240,  52, 248, 193,  76,  26, 160,  32, 195, 250, 217,  25,
+	254, 245,  73,  44,  68, 229, 150,  74, 228,  74, 124, 249, 123,  94, 108, 127,
+	253, 235, 168,  56, 252,  93, 188, 160, 249, 137, 236,  65,  62, 182, 153,  63,
+	251, 219, 163, 110, 233, 251, 114, 216, 230,  35,  59, 210, 107, 100, 184,  16,
+	247, 200, 110, 236, 134, 237, 213, 111, 240, 149, 109,  22, 216, 213, 237, 145,
+	239, 212,  98, 249, 238,   1, 227, 248, 242,  51, 211, 134, 154, 115, 189,  83,
+	224, 174,  65,   2, 190, 158,   9,   6, 184,  13, 130, 104, 247, 102,  38, 160,
+	197,  49, 104,  97,  61, 210,  19, 115, 208,  54,  91,  27, 209, 227,  33,  26,
+	151, 229,  20,  46, 200, 238,  35, 134,  72, 183, 253, 160, 193, 155, 117, 103,
+	 90,  32,  10, 204,  78,  83, 191, 230,   0, 221, 219,   6,  43, 252, 185,  95,
+	 31, 186, 139, 154,  90, 155,  17,   9,  42, 139,  40, 111, 246, 175,   4,  15,
+	  3, 238, 181, 190, 138,  94,  50, 234, 128, 193,  95,  36,  65, 236, 170, 208,
+	  0,  15, 118, 216, 230, 142, 121, 211,  13, 168, 207, 126, 145, 176,  24, 201
+};
+
+/**
+ * sigma = 271, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 320
+ *
+ * c[i] = exp(-2^i/f), i = 0..21, with f = k_sigma^2 / ln 2 = 147'732.0
+ */
+static uint8_t c_bliss_iv[] = {
+	255, 255, 142, 111, 102,   2, 141,  87, 150,  42,  18,  70,   6, 224,  18,  70,
+	255, 255,  28, 222, 254, 102,  20,  78, 133,  78, 189, 107,  29,   7,  23, 193,
+	255, 254,  57, 190, 198,  79, 181, 181, 108,  75, 142, 145,  45, 238, 193,  29,
+	255, 252, 115, 128, 178, 170, 212, 166, 120, 157,  85,  96, 209, 180, 211,  83,
+	255, 248, 231,  13, 253, 108, 245,  46, 238, 155,  30,  99, 141, 228, 149, 239,
+	255, 241, 206,  78,  90, 132,  83, 172, 228, 179, 119, 115, 240,  51, 216,   6,
+	255, 227, 157, 102,  46,  28,  61, 128,  58, 114, 174, 136,   8, 224, 133,  84,
+	255, 199,  61, 242,  19, 216, 133, 241, 240,  22, 146,  43,  92,  57,  82, 248,
+	255, 142, 136, 121, 160, 225, 119, 214, 241,  44, 159,  34, 133, 118,  96,  60,
+	255,  29,  67,  61, 254,  49,  27, 152,  48, 124, 184,  87,  66, 214,  63, 133,
+	254,  59,  79,  77, 206,  26, 238,  42,  69,  81, 191, 149, 146,  76, 255, 232,
+	252, 121, 191,  28,  11, 107, 141, 223, 234,  42, 226,  50, 138, 102,  16,  97,
+	248, 255, 234,  37, 109, 169, 103,  25, 240, 109,  93, 165, 177,  22, 133, 100,
+	242,  48, 213, 124, 209,  49,  33,  48,  57, 237, 202,  62, 102, 132, 219,  48,
+	229,  32,  92, 240, 188,  88,  70,  34, 179,  94, 244,  70,  25, 123,  76, 140,
+	205,  18, 234,  94,  14, 226, 237,  76, 192,  18, 240,  50,  79,  63,  34,  96,
+	164,  71,  76, 192, 111, 161, 157, 188,  19, 189, 133, 246,  67, 127,   6,  28,
+	105, 107, 110,  50,  56, 199, 208, 174,  16,  95, 153, 106, 217, 198, 194, 179,
+	 43, 105,  77, 122, 127, 254, 146, 221,  44, 235,  61,  22, 179,   9, 113, 118,
+	  7,  92, 139,  87, 204, 239, 111, 200,  41, 129, 122,  49,  69, 113, 122, 239,
+	  0,  54,  49,  19,  64,  40, 218, 222,  60,  82, 186, 246,  64, 155, 184,  47,
+	  0,   0,  11, 120, 189, 135, 113,  62, 143, 175, 118, 239, 190, 120, 189, 250
+};
+
+/**
+ * BLISS signature parameter set definitions
+ */
+static bliss_param_set_t bliss_param_sets[] = {
+
+	/* BLISS-I scheme */
+	{
+		.id = BLISS_I,
+		.oid = OID_BLISS_I,
+		.strength = 128,
+		.q = 12289,
+		.q_bits = 14,
+		.q2_inv = 6145,
+		.n = 512,
+		.n_bits = 9,
+		.fft_params = &bliss_fft_12289_512,
+		.non_zero1 = 154,
+		.non_zero2 = 0,
+		.kappa = 23,
+		.nks_max = 46479,
+		.p_max = 0,     /* not needed */
+		.sigma = 215,
+		.k_sigma = 254,
+		.k_sigma_bits = 8,
+		.c = c_bliss_i,
+		.c_cols = 16,
+		.c_rows = 21,
+		.z1_bits = 12,
+		.d = 10,
+		.p = 24,
+		.M = 46539,     /* with alpha = 1.000 */
+		.B_inf = 2047,  /* reduced from 2100 due to 12 bit z1 encoding */
+		.B_l2 = 12872 * 12872
+	},
+
+	/* BLISS-III scheme */
+	{
+		.id = BLISS_III,
+		.oid = OID_BLISS_III,
+		.strength = 160,
+		.q = 12289,
+		.q_bits = 14,
+		.q2_inv = 6145,
+		.n = 512,
+		.n_bits = 9,
+		.fft_params = &bliss_fft_12289_512,
+		.non_zero1 = 216,
+		.non_zero2 = 16,
+		.kappa = 30,
+		.nks_max = 128626,
+		.p_max = 0,     /* not needed */
+		.sigma = 250,
+		.k_sigma = 295,
+		.k_sigma_bits = 9,
+		.c = c_bliss_iii,
+		.c_cols = 16,
+		.c_rows = 21,
+		.z1_bits = 12,
+		.d = 9,
+		.p = 48,
+		.M = 128113,    /* with alpha = 0.700 */
+		.B_inf = 1760,
+		.B_l2 = 10206 * 10206
+	},
+
+	/* BLISS-IV scheme */
+	{
+		.id = BLISS_IV,
+		.oid = OID_BLISS_IV,
+		.strength = 192,
+		.q = 12289,
+		.q_bits = 14,
+		.q2_inv = 6145,
+		.n = 512,
+		.n_bits = 9,
+		.fft_params = &bliss_fft_12289_512,
+		.non_zero1 = 231,
+		.non_zero2 = 31,
+		.kappa = 39,
+		.nks_max = 244669,
+		.p_max = 0,     /* not needed */
+		.sigma = 271,
+		.k_sigma = 320,
+		.k_sigma_bits = 9,
+		.c = c_bliss_iv,
+		.c_cols = 16,
+		.c_rows = 22,
+		.z1_bits = 12,
+		.d = 8,
+		.p = 96,
+		.M = 244186,    /* with alpha = 0.550 */
+		.B_inf = 1613,
+		.B_l2 = 9901 * 9901
+	},
+
+	/* BLISS-B-I scheme */
+	{
+		.id = BLISS_B_I,
+		.oid = OID_BLISS_B_I,
+		.strength = 128,
+		.q = 12289,
+		.q_bits = 14,
+		.q2_inv = 6145,
+		.n = 512,
+		.n_bits = 9,
+		.fft_params = &bliss_fft_12289_512,
+		.non_zero1 = 154,
+		.non_zero2 = 0,
+		.kappa = 23,
+		.nks_max = 0,   /* not needed */
+		.p_max = 17825,
+		.sigma = 215,
+		.k_sigma = 254,
+		.k_sigma_bits = 8,
+		.c = c_bliss_i,
+		.c_cols = 16,
+		.c_rows = 21,
+		.z1_bits = 12,
+		.d = 10,
+		.p = 24,
+		.M = 17954,     /* with alpha = 1.610 */
+		.B_inf = 2047,  /* reduced from 2100 due to 12 bit z1 encoding */
+		.B_l2 = 12872 * 12872
+	},
+
+	/* BLISS-B-III scheme */
+	{
+		.id = BLISS_B_III,
+		.oid = OID_BLISS_B_III,
+		.strength = 160,
+		.q = 12289,
+		.q_bits = 14,
+		.q2_inv = 6145,
+		.n = 512,
+		.n_bits = 9,
+		.fft_params = &bliss_fft_12289_512,
+		.non_zero1 = 216,
+		.non_zero2 = 16,
+		.kappa = 30,
+		.nks_max = 0,   /* not needed */
+		.p_max = 42270,
+		.sigma = 250,
+		.k_sigma = 295,
+		.k_sigma_bits = 9,
+		.c = c_bliss_iii,
+		.c_cols = 16,
+		.c_rows = 21,
+		.z1_bits = 12,
+		.d = 9,
+		.p = 48,
+		.M = 42455,     /* with alpha = 1.216 */
+		.B_inf = 1760,
+		.B_l2 = 10206 * 10206
+	},
+
+	/* BLISS-B-IV scheme */
+	{
+		.id = BLISS_B_IV,
+		.oid = OID_BLISS_B_IV,
+		.strength = 192,
+		.q = 12289,
+		.q_bits = 14,
+		.q2_inv = 6145,
+		.n = 512,
+		.n_bits = 9,
+		.fft_params = &bliss_fft_12289_512,
+		.non_zero1 = 231,
+		.non_zero2 = 31,
+		.kappa = 39,
+		.nks_max = 0,   /* not needed */
+		.p_max = 69576,
+		.sigma = 271,
+		.k_sigma = 320,
+		.k_sigma_bits = 9,
+		.c = c_bliss_iv,
+		.c_cols = 16,
+		.c_rows = 22,
+		.z1_bits = 12,
+		.d = 8,
+		.p = 96,
+		.M = 70034,     /* with alpha = 1.027 */
+		.B_inf = 1613,
+		.B_l2 = 9901 * 9901
+	}
+
+};
+
+/**
+ * See header.
+ */
+bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id)
+{
+	int i;
+
+	for (i = 0; i < countof(bliss_param_sets); i++)
+	{
+		if (bliss_param_sets[i].id == id)
+		{
+			return &bliss_param_sets[i];
+		}
+	}
+	return NULL;
+}
+
+
+/**
+ * See header.
+ */
+bliss_param_set_t* bliss_param_set_get_by_oid(int oid)
+{
+	int i;
+
+	for (i = 0; i < countof(bliss_param_sets); i++)
+	{
+		if (bliss_param_sets[i].oid == oid)
+		{
+			return &bliss_param_sets[i];
+		}
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_param_set.h b/src/libstrongswan/plugins/bliss/bliss_param_set.h
new file mode 100644
index 000000000..33a8009ff
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_param_set.h
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_param_set bliss_param_set
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_PARAM_SET_H_
+#define BLISS_PARAM_SET_H_
+
+typedef enum bliss_param_set_id_t bliss_param_set_id_t;
+typedef struct bliss_param_set_t bliss_param_set_t;
+
+#include "bliss_fft_params.h"
+#include "bliss_huffman_code.h"
+
+#include <library.h>
+
+/**
+ * BLISS signature parameter set ID list
+ */
+enum bliss_param_set_id_t {
+	BLISS_I =     1,
+	BLISS_II =    2,
+	BLISS_III =   3,
+	BLISS_IV =    4,
+	BLISS_B_I =   5,
+	BLISS_B_II =  6,
+	BLISS_B_III = 7,
+	BLISS_B_IV =  8
+};
+
+extern enum_name_t *bliss_param_set_id_names;
+
+/**
+ * BLISS
+ */
+struct bliss_param_set_t {
+
+	/**
+	 * BLISS parameter set ID
+	 */
+	bliss_param_set_id_t id;
+
+	/**
+	 * BLISS parameter set OID
+	 */
+	int oid;
+
+	/**
+	 * Security strength in bits
+	 */
+	uint16_t strength;
+
+	/**
+	 * Prime modulus
+	 */
+	uint16_t q;
+
+	/**
+	 * Number of bits in q
+	 */
+	uint16_t q_bits;
+
+	/**
+	 * Inverse of (q + 2) mod 2q
+	 */
+	uint16_t q2_inv;
+
+	/**
+	 * Ring dimension equal to the number of polynomial coefficients
+	 */
+	uint16_t n;
+
+	/**
+	 * Number of bits in n
+	 */
+	uint16_t n_bits;
+
+	/**
+	 * FFT parameters
+	 */
+	bliss_fft_params_t *fft_params;
+
+	/**
+	 * Number of [-1, +1] secret key coefficients
+	 */
+	uint16_t non_zero1;
+
+	/**
+	 * Number of [-2, +2] secret key coefficients
+	 */
+	uint16_t non_zero2;
+
+	/**
+	 * Number of secret key terms that go into Nk(S) norm
+	 */
+	uint16_t kappa;
+
+	/**
+	 * Maximum Nk(S) tolerable NK(S) norm (BLISS only)
+	 */
+	uint32_t nks_max;
+
+	/**
+	 * Maximum value Pmax for ||Sc'||^2 norm (BLISS-B only)
+	 */
+	uint32_t p_max;
+
+	/**
+	 * Standard deviation sigma
+	 */
+	uint16_t sigma;
+
+	/**
+	 *  k_sigma = ceiling[ sqrt(2*ln 2) * sigma ]
+	 */
+	uint16_t k_sigma;
+
+	/**
+	 *  Number of bits in k_sigma
+	 */
+	uint16_t k_sigma_bits;
+
+	/**
+	 * Coefficients for Bernoulli sampling with exponential biases
+	 */
+	uint8_t *c;
+
+	/**
+	 * Number of columns in Bernoulli coefficient table
+	 */
+	size_t c_cols;
+
+	/**
+	 * Number of rows in Bernoulli coefficient table
+	 */
+	size_t c_rows;
+
+	/**
+	 * Number of bits in z1
+	 */
+	uint16_t z1_bits;
+
+	/**
+	 * Number of z2 bits to be dropped after rounding
+	 */
+	uint16_t d;
+
+	/**
+	 * Modulus p = floor(2q / 2^d) applied after bit dropping
+	 */
+	uint16_t p;
+
+	/**
+	 * M = sigma^2 / alpha_rejection^2
+	 */
+	uint32_t M;
+
+	/**
+	 * B_infinity bound
+	 */
+	uint16_t B_inf;
+
+	/**
+	 * B_verify bound
+	 */
+	uint32_t B_l2;
+
+};
+
+/**
+ * Get BLISS signature parameter set by BLISS parameter set ID
+ *
+ * @param id	BLISS parameter set ID
+ * @return		BLISS parameter set
+*/
+bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id);
+
+/**
+ * Get BLISS signature parameter set by BLISS parameter set OID
+ *
+ * @param oid	BLISS parameter set OID
+ * @return		BLISS parameter set
+*/
+bliss_param_set_t* bliss_param_set_get_by_oid(int oid);
+
+#endif /** BLISS_PARAM_SET_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c
new file mode 100644
index 000000000..07597c318
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_plugin.h"
+#include "bliss_private_key.h"
+#include "bliss_public_key.h"
+
+#include <library.h>
+
+typedef struct private_bliss_plugin_t private_bliss_plugin_t;
+
+/**
+ * private data of bliss_plugin
+ */
+struct private_bliss_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	bliss_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_bliss_plugin_t *this)
+{
+	return "bliss";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_bliss_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		/* private/public keys */
+		PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS),
+		PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
+		PLUGIN_REGISTER(PRIVKEY_GEN, bliss_private_key_gen, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_BLISS),
+				PLUGIN_DEPENDS(RNG, RNG_TRUE),
+		PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
+		PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
+		/* signature schemes, private */
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA256),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA384),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+		/* signature verification schemes */
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA256),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA384),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+	};
+	*features = f;
+
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_bliss_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *bliss_plugin_create()
+{
+	private_bliss_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.h b/src/libstrongswan/plugins/bliss/bliss_plugin.h
new file mode 100644
index 000000000..d3d80ac5d
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_p bliss
+ * @ingroup plugins
+ *
+ * @defgroup bliss_plugin bliss_plugin
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_PLUGIN_H_
+#define BLISS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct bliss_plugin_t bliss_plugin_t;
+
+/**
+ * Plugin implementing the BLISS post-quantu authentication algorithm
+ */
+struct bliss_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** BLISS_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c
new file mode 100644
index 000000000..e1064d2f2
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c
@@ -0,0 +1,1316 @@
+/*
+ * Copyright (C) 2014-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_private_key.h"
+#include "bliss_public_key.h"
+#include "bliss_param_set.h"
+#include "bliss_utils.h"
+#include "bliss_sampler.h"
+#include "bliss_signature.h"
+#include "bliss_bitpacker.h"
+#include "bliss_fft.h"
+
+#include <crypto/mgf1/mgf1_bitspender.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+
+typedef struct private_bliss_private_key_t private_bliss_private_key_t;
+
+#define SECRET_KEY_TRIALS_MAX	50
+
+/**
+ * Private data of a bliss_private_key_t object.
+ */
+struct private_bliss_private_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	bliss_private_key_t public;
+
+	/**
+	 * BLISS signature parameter set
+	 */
+	bliss_param_set_t *set;
+
+	/**
+	 * BLISS secret key S1 (coefficients of polynomial f)
+	 */
+	int8_t *s1;
+
+	/**
+	 * BLISS secret key S2 (coefficients of polynomial 2g + 1)
+	 */
+	int8_t *s2;
+
+	/**
+	 * NTT of BLISS public key a (coefficients of polynomial (2g + 1)/f)
+	 */
+	uint32_t *A;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_bliss_private_key_t *this)
+{
+	return KEY_BLISS;
+}
+
+/**
+ * Multiply secret vector s with binary challenge vector c
+ */
+static void multiply_by_c(int8_t *s, int n, uint16_t *c_indices,
+						  uint16_t kappa, int32_t *product)
+{
+	int i, j, index;
+
+	for (i = 0; i < n; i++)
+	{
+		product[i] = 0;
+
+		for (j = 0; j < kappa; j++)
+		{
+			index = c_indices[j];
+			if (i - index < 0)
+			{
+				product[i] -= s[i - index + n];
+			}
+			else
+			{
+				product[i] += s[i - index];
+			}
+		}
+	}
+}
+
+/**
+ * BLISS-B GreedySC algorithm
+ */
+static void greedy_sc(int8_t *s1, int8_t *s2, int n, uint16_t *c_indices,
+					  uint16_t kappa, int32_t *v1, int32_t *v2)
+{
+	int i, j, index;
+	int32_t sign;
+
+	for (i = 0; i < n; i++)
+	{
+		v1[i] = v2[i] = 0;
+	}
+	for (j = 0; j < kappa; j++)
+	{
+		index = c_indices[j];
+		sign = 0;
+
+		for (i = 0; i < index; i++)
+		{
+			sign -= (v1[i] * s1[i - index + n] + v2[i] * s2[i - index + n]);
+		}
+		for (i = index; i < n; i++)
+		{
+			sign += (v1[i] * s1[i - index] + v2[i] * s2[i - index]);
+		}
+		for (i = 0; i < index; i++)
+		{
+			if (sign > 0)
+			{
+				v1[i] += s1[i - index + n];
+				v2[i] += s2[i - index + n];
+			}
+			else
+			{
+				v1[i] -= s1[i - index + n];
+				v2[i] -= s2[i - index + n];
+			}
+		}
+		for (i = index; i < n; i++)
+		{
+			if (sign > 0)
+			{
+				v1[i] -= s1[i - index];
+				v2[i] -= s2[i - index];
+			}
+			else
+			{
+				v1[i] += s1[i - index];
+				v2[i] += s2[i - index];
+			}
+		}
+	}
+}
+
+/**
+ * Compute a BLISS signature
+ */
+static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
+					   chunk_t data, chunk_t *signature)
+{
+	bliss_fft_t *fft;
+	bliss_signature_t *sig;
+	bliss_sampler_t *sampler = NULL;
+	rng_t *rng;
+	hasher_t *hasher;
+	hash_algorithm_t mgf1_alg;
+	size_t mgf1_seed_len;
+	uint8_t mgf1_seed_buf[HASH_SIZE_SHA512], data_hash_buf[HASH_SIZE_SHA512];
+	chunk_t mgf1_seed, data_hash;
+	uint16_t q, q2, p, p2, *c_indices, tests = 0;
+	uint32_t *ay;
+	int32_t *y1, *y2, *z1, *z2, *u, *s1c, *s2c;
+	int32_t y1_min = 0, y1i, y1_max = 0, y2_min = 0, y2i, y2_max = 0;
+	int32_t scalar, norm, ui;
+	int16_t *ud, *uz2d, *z2d, value;
+	int i, n;
+	double mean1 = 0, mean2 = 0, sigma1 = 0, sigma2 = 0;
+	bool accepted, positive, success = FALSE, use_bliss_b;
+
+	/* Initialize signature */
+	*signature = chunk_empty;
+
+	/* Create data hash */
+	hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	data_hash = chunk_create(data_hash_buf, hasher->get_hash_size(hasher));
+
+	if (!hasher->get_hash(hasher, data, data_hash_buf))
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+
+	/* Create SHA512 hasher for c_indices oracle */
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+
+	/* Set MGF1 hash algorithm and seed length based on security strength */
+	if (this->set->strength > 160)
+	{
+		mgf1_alg = HASH_SHA256;
+		mgf1_seed_len = HASH_SIZE_SHA256;
+	}
+	else
+	{
+		mgf1_alg = HASH_SHA1;
+		mgf1_seed_len = HASH_SIZE_SHA1;
+	}
+	mgf1_seed = chunk_create(mgf1_seed_buf, mgf1_seed_len);
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (!rng)
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+
+	/* Initialize a couple of needed variables */
+	n  = this->set->n;
+	q  = this->set->q;
+	p  = this->set->p;
+	q2 = 2 * q;
+	p2 = p / 2;
+	ay   = malloc(n * sizeof(uint32_t));
+	z2   = malloc(n * sizeof(int32_t));
+	s1c  = malloc(n * sizeof(int32_t));
+	s2c  = malloc(n * sizeof(int32_t));
+	u    = malloc(n * sizeof(int32_t));
+	uz2d = malloc(n * sizeof(int16_t));
+
+	sig = bliss_signature_create(this->set);
+	sig->get_parameters(sig, &z1, &z2d, &c_indices);
+	y1 = z1;
+	y2 = z2;
+	ud = z2d;
+
+	fft = bliss_fft_create(this->set->fft_params);
+
+	/* Use of the enhanced BLISS-B signature algorithm? */
+	switch (this->set->id)
+	{
+		default:
+		case BLISS_I:
+		case BLISS_II:
+		case BLISS_III:
+		case BLISS_IV:
+			use_bliss_b = FALSE;
+			break;
+		case BLISS_B_I:
+		case BLISS_B_II:
+		case BLISS_B_III:
+		case BLISS_B_IV:
+			use_bliss_b = TRUE;
+			break;
+	}
+
+	while (true)
+	{
+		tests++;
+
+		if (!rng->get_bytes(rng, mgf1_seed_len, mgf1_seed_buf))
+		{
+			goto end;
+		}
+		DESTROY_IF(sampler);
+
+		sampler = bliss_sampler_create(mgf1_alg, mgf1_seed, this->set);
+		if (!sampler)
+		{
+			goto end;
+		}
+
+		/* Gaussian sampling for vectors y1 and y2 */
+		for (i = 0; i < n; i++)
+		{
+			if (!sampler->gaussian(sampler, &y1i) ||
+				!sampler->gaussian(sampler, &y2i))
+			{
+				goto end;
+			}
+			y1[i] = y1i;
+			y2[i] = y2i;
+
+			/* Collect statistical data on rejection sampling */
+			if (i == 0)
+			{
+				y1_min = y1_max = y1i;
+				y2_min = y2_max = y2i;
+			}
+			else
+			{
+				if (y1i < y1_min)
+				{
+					y1_min = y1i;
+				}
+				else if (y1i > y1_max)
+				{
+					y1_max = y1i;
+				}
+				if (y2i < y2_min)
+				{
+					y2_min = y2i;
+				}
+				else if (y2i > y2_max)
+				{
+					y2_max = y2i;
+				}
+			}
+			mean1 += y1i;
+			mean2 += y2i;
+			sigma1 += y1i * y1i;
+			sigma2 += y2i * y2i;
+
+			ay[i] = y1i < 0 ? q + y1i : y1i;
+		}
+
+		/* Compute statistics on vectors y1 and y2 */
+		mean1 /= n;
+		mean2 /= n;
+		sigma1 /= n;
+		sigma2 /= n;
+		sigma2 -= mean1 * mean1;
+		sigma2 -= mean2 * mean2;
+		DBG2(DBG_LIB, "y1 = %d..%d (sigma2 = %5.0f, mean = %4.1f)",
+					   y1_min, y1_max, sigma1, mean1);
+		DBG2(DBG_LIB, "y2 = %d..%d (sigma2 = %5.0f, mean = %4.1f)",
+					   y2_min, y2_max, sigma2, mean2);
+
+		fft->transform(fft, ay, ay, FALSE);
+
+		for (i = 0; i < n; i++)
+		{
+			ay[i] = (this->A[i] * ay[i]) % q;
+		}
+		fft->transform(fft, ay, ay, TRUE);
+
+		for (i = 0; i < n; i++)
+		{
+			ui = 2 * this->set->q2_inv * (int32_t)ay[i] + y2[i];
+			u[i] = ((ui < 0) ? q2 + ui : ui) % q2;
+		}
+		bliss_utils_round_and_drop(this->set, u, ud);
+
+		/* Detailed debugging information */
+		DBG3(DBG_LIB, "  i    u[i]  ud[i]");
+		for (i = 0; i < n; i++)
+		{
+			DBG3(DBG_LIB, "%3d  %6d   %4d", i, u[i], ud[i]);
+		}
+
+		if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa,
+									c_indices))
+		{
+			goto end;
+		}
+
+		if (use_bliss_b)
+		{
+			/* Compute v = (s1c, s2c) with the GreedySC algorithm */
+			greedy_sc(this->s1, this->s2, n, c_indices, this->set->kappa,
+					  s1c, s2c);
+
+			/* Compute norm = ||v||^2 = ||Sc'||^2 */
+			norm = bliss_utils_scalar_product(s1c, s1c, n) +
+				   bliss_utils_scalar_product(s2c, s2c, n);
+
+			/* Just in case. ||v||^2 <= P_max should always be fulfilled */
+			if (norm > this->set->p_max)
+			{
+				goto end;
+			}
+		}
+		else
+		{
+			/* Compute s*c */
+			multiply_by_c(this->s1, n, c_indices, this->set->kappa, s1c);
+			multiply_by_c(this->s2, n, c_indices, this->set->kappa, s2c);
+
+			/* Compute norm = |Sc||^2 */
+			norm = bliss_utils_scalar_product(s1c, s1c, n) +
+				   bliss_utils_scalar_product(s2c, s2c, n);
+		}
+
+		if (!sampler->bernoulli_exp(sampler, this->set->M - norm, &accepted))
+		{
+			goto end;
+		}
+		if (use_bliss_b)
+		{
+			DBG2(DBG_LIB, "norm2(s1*c') + norm2(s2*c') = %u (%u max), %s",
+				 norm, this->set->p_max, accepted ? "accepted" : "rejected");
+
+		}
+		else
+		{
+			DBG2(DBG_LIB, "norm2(s1*c) + norm2(s2*c) = %u, %s",
+				 norm, accepted ? "accepted" : "rejected");
+		}
+		if (!accepted)
+		{
+			continue;
+		}
+
+		/* Compute z */
+		if (!sampler->sign(sampler, &positive))
+		{
+			goto end;
+		}
+		for (i = 0; i < n; i++)
+		{
+			if (positive)
+			{
+				z1[i] = y1[i] + s1c[i];
+				z2[i] = y2[i] + s2c[i];
+			}
+			else
+			{
+				z1[i] = y1[i] - s1c[i];
+				z2[i] = y2[i] - s2c[i];
+			}
+		}
+		/* Reject with probability 1/cosh(scalar/sigma^2) */
+		scalar = bliss_utils_scalar_product(z1, s1c, n) +
+				 bliss_utils_scalar_product(z2, s2c, n);
+
+		if (!sampler->bernoulli_cosh(sampler, scalar, &accepted))
+		{
+			goto end;
+		}
+		DBG2(DBG_LIB, "scalar(z1,s1*c) + scalar(z2,s2*c) = %d, %s",
+					   scalar, accepted ? "accepted" : "rejected");
+		if (!accepted)
+		{
+			continue;
+		}
+
+		/* Compute z2 with dropped bits */
+		for (i = 0; i < n; i++)
+		{
+			u[i] -= z2[i];
+			if (u[i] < 0)
+			{
+				u[i] += q2;
+			}
+			else if (u[i] >= q2)
+			{
+				u[i] -= q2;
+			}
+		}
+		bliss_utils_round_and_drop(this->set, u, uz2d);
+
+		for (i = 0; i < n; i++)
+		{
+			value = ud[i] - uz2d[i];
+			if (value <= -p2)
+			{
+				value += p;
+			}
+			else if (value > p2)
+			{
+				value -= p;
+			}
+			z2d[i] = value;
+		}
+
+		if (!bliss_utils_check_norms(this->set, z1, z2d))
+		{
+			continue;
+		}
+
+		*signature = sig->get_encoding(sig);
+		if (signature->len == 0)
+		{
+			DBG1(DBG_LIB, "inefficient Huffman coding of signature");
+			continue;
+		}
+		DBG2(DBG_LIB, "signature generation needed %u round%s", tests,
+					  (tests == 1) ? "" : "s");
+		break;
+	}
+	success = TRUE;
+
+end:
+	/* cleanup */
+	DESTROY_IF(sampler);
+	hasher->destroy(hasher);
+	sig->destroy(sig);
+	fft->destroy(fft);
+	rng->destroy(rng);
+	memwipe(s1c, n * sizeof(int32_t));
+	memwipe(s2c, n * sizeof(int32_t));
+	free(s1c);
+	free(s2c);
+	free(ay);
+	free(z2);
+	free(u);
+	free(uz2d);
+
+	return success;
+}
+
+METHOD(private_key_t, sign, bool,
+	private_bliss_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
+{
+	switch (scheme)
+	{
+		case SIGN_BLISS_WITH_SHA256:
+			return sign_bliss(this, HASH_SHA256, data, signature);
+		case SIGN_BLISS_WITH_SHA384:
+			return sign_bliss(this, HASH_SHA384, data, signature);
+		case SIGN_BLISS_WITH_SHA512:
+			return sign_bliss(this, HASH_SHA512, data, signature);
+		default:
+			DBG1(DBG_LIB, "signature scheme %N not supported with BLISS",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_bliss_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
+{
+	DBG1(DBG_LIB, "encryption scheme %N not supported",
+				   encryption_scheme_names, scheme);
+	return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_bliss_private_key_t *this)
+{
+	return this->set->strength;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_bliss_private_key_t *this)
+{
+	public_key_t *public;
+	chunk_t pubkey;
+
+	pubkey = bliss_public_key_info_encode(this->set->oid, this->A, this->set);
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_BLISS,
+								BUILD_BLOB_ASN1_DER, pubkey, BUILD_END);
+	free(pubkey.ptr);
+
+	return public;
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_bliss_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	switch (type)
+	{
+		case PRIVKEY_ASN1_DER:
+		case PRIVKEY_PEM:
+		{
+			chunk_t s1, s2, pubkey;
+			bliss_bitpacker_t *packer;
+			size_t s_bits;
+			int8_t value;
+			bool success = TRUE;
+			int i;
+
+			pubkey = bliss_public_key_encode(this->A, this->set);
+
+			/* Use either 2 or 3 bits per array element */
+			s_bits = 2 + (this->set->non_zero2 > 0);
+
+			/* Encode secret s1 */
+			packer = bliss_bitpacker_create(s_bits * this->set->n);
+			for (i = 0; i < this->set->n; i++)
+			{
+				packer->write_bits(packer, this->s1[i], s_bits);
+			}
+			s1 = packer->extract_buf(packer);
+			packer->destroy(packer);
+
+			/* Encode secret s2 */
+			packer = bliss_bitpacker_create(s_bits * this->set->n);
+			for (i = 0; i < this->set->n; i++)
+			{
+				value = this->s2[i];
+				if (i == 0)
+				{
+					value -= 1;
+				}
+				value /= 2;
+				packer->write_bits(packer, value, s_bits);
+			}
+			s2 = packer->extract_buf(packer);
+			packer->destroy(packer);
+
+			*encoding = asn1_wrap(ASN1_SEQUENCE, "mmss",
+							asn1_build_known_oid(this->set->oid),
+							asn1_bitstring("m", pubkey),
+							asn1_bitstring("m", s1),
+							asn1_bitstring("m", s2)
+						);
+			if (type == PRIVKEY_PEM)
+			{
+				chunk_t asn1_encoding = *encoding;
+
+				success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+								NULL, encoding, CRED_PART_BLISS_PRIV_ASN1_DER,
+								asn1_encoding, CRED_PART_END);
+				chunk_clear(&asn1_encoding);
+			}
+			return success;
+		}
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_bliss_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	bool success;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	success = bliss_public_key_fingerprint(this->set->oid, this->A,
+										   this->set, type, fp);
+	if (success)
+	{
+		lib->encoding->cache(lib->encoding, type, this, *fp);
+	}
+	return success;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_bliss_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_bliss_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		if (this->s1)
+		{
+			memwipe(this->s1, this->set->n * sizeof(int8_t));
+			free(this->s1);
+		}
+		if (this->s2)
+		{
+			memwipe(this->s2, this->set->n * sizeof(int8_t));
+			free(this->s2);
+		}
+		free(this->A);
+		free(this);
+	}
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_bliss_private_key_t *bliss_private_key_create_empty(void)
+{
+	private_bliss_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
+	return this;
+}
+
+/**
+ * Compute the scalar product of a vector x with a negative wrapped vector y
+ */
+static int16_t wrapped_product(int8_t *x, int8_t *y, int n, int shift)
+{
+	int16_t product = 0;
+	int i;
+
+	for (i = 0; i < n - shift; i++)
+	{
+		product += x[i] * y[i + shift];
+	}
+	for (i = n - shift; i < n; i++)
+	{
+		product -= x[i] * y[i + shift - n];
+	}
+	return product;
+}
+
+/**
+ * Apply a negative wrapped rotation to a vector x
+ */
+static void wrap(int16_t *x, int n, int shift, int16_t *x_wrapped)
+{
+	int i;
+
+	for (i = 0; i < n - shift; i++)
+	{
+		x_wrapped[i + shift] = x[i];
+	}
+	for (i = n - shift; i < n; i++)
+	{
+		x_wrapped[i + shift - n] = -x[i];
+	}
+}
+
+/**
+ * int16_t compare function needed for qsort()
+ */
+static int compare(const int16_t *a, const int16_t *b)
+{
+	int16_t temp = *a - *b;
+
+	if (temp > 0)
+	{
+		return 1;
+	}
+	else if (temp < 0)
+	{
+		return -1;
+	}
+	else
+	{
+		return 0;
+	}
+}
+
+/**
+ * Compute the Nk(S) norm of S = (s1, s2)
+ */
+static uint32_t nks_norm(int8_t *s1, int8_t *s2, int n, uint16_t kappa)
+{
+	int16_t t[n], t_wrapped[n], max_kappa[n];
+	uint32_t nks = 0;
+	int i, j;
+
+	for (i = 0; i < n; i++)
+	{
+		t[i] = wrapped_product(s1, s1, n, i) + wrapped_product(s2, s2, n, i);
+	}
+
+	for (i = 0; i < n; i++)
+	{
+		wrap(t, n, i, t_wrapped);
+		qsort(t_wrapped, n, sizeof(int16_t), (__compar_fn_t)compare);
+		max_kappa[i] = 0;
+
+		for (j = 1; j <= kappa; j++)
+		{
+			max_kappa[i] += t_wrapped[n - j];
+		}
+	}
+	qsort(max_kappa, n, sizeof(int16_t), (__compar_fn_t)compare);
+
+	for (i = 1; i <= kappa; i++)
+	{
+		nks += max_kappa[n - i];
+	}
+	return nks;
+}
+
+/**
+ * Compute the inverse x1 of x modulo q as x^(-1) = x^(q-2) mod q
+ */
+static uint32_t invert(uint32_t x, uint16_t q)
+{
+	uint32_t x1, x2;
+	uint16_t q2;
+	int i, i_max;
+
+	q2 = q - 2;
+	x1 = (q2 & 1) ? x : 1;
+	x2 = x;
+	i_max = 15;
+
+	while ((q2 & (1 << i_max)) == 0)
+	{
+		i_max--;
+	}
+	for (i = 1; i <= i_max; i++)
+	{
+		x2 = (x2 * x2) % q;
+
+		if (q2 & (1 << i))
+		{
+			x1 = (x1 * x2) % q;
+		}
+	}
+
+	return x1;
+}
+
+/**
+ * Create a vector with sparse and small coefficients from seed
+ */
+static int8_t* create_vector_from_seed(private_bliss_private_key_t *this,
+									   hash_algorithm_t alg, chunk_t seed)
+{
+	mgf1_bitspender_t *bitspender;
+	uint32_t index, sign;
+	int8_t *vector;
+	int non_zero;
+
+	bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+	if (!bitspender)
+	{
+	    return NULL;
+	}
+
+	vector = malloc(sizeof(int8_t) * this->set->n);
+	memset(vector, 0x00, this->set->n);
+
+	non_zero = this->set->non_zero1;
+	while (non_zero)
+	{
+		if (!bitspender->get_bits(bitspender, this->set->n_bits, &index))
+		{
+			free(vector);
+			return NULL;
+		}
+		if (vector[index] != 0)
+		{
+			continue;
+		}
+
+		if (!bitspender->get_bits(bitspender, 1, &sign))
+		{
+			free(vector);
+			return NULL;
+		}
+		vector[index] = sign ? 1 : -1;
+		non_zero--;
+	}
+
+	non_zero = this->set->non_zero2;
+	while (non_zero)
+	{
+		if (!bitspender->get_bits(bitspender, this->set->n_bits, &index))
+		{
+			free(vector);
+			return NULL;
+		}
+		if (vector[index] != 0)
+		{
+			continue;
+		}
+
+		if (!bitspender->get_bits(bitspender, 1, &sign))
+		{
+			free(vector);
+			return NULL;
+		}
+		vector[index] = sign ? 2 : -2;
+		non_zero--;
+	}
+	bitspender->destroy(bitspender);
+
+	return vector;
+}
+
+/**
+ * Generate the secret key S = (s1, s2) fulfilling the Nk(S) norm
+ */
+static bool create_secret(private_bliss_private_key_t *this, rng_t *rng,
+						 int8_t **s1, int8_t **s2, int *trials)
+{
+	uint8_t seed_buf[32];
+	uint8_t *f, *g;
+	uint32_t l2_norm, nks;
+	int i, n;
+	chunk_t seed;
+	size_t seed_len;
+	hash_algorithm_t alg;
+
+	n = this->set->n;
+	*s1 = NULL;
+	*s2 = NULL;
+
+	/* Set MGF1 hash algorithm and seed length based on security strength */
+	if (this->set->strength > 160)
+	{
+		alg = HASH_SHA256;
+		seed_len = HASH_SIZE_SHA256;
+	}
+	else
+	{
+		alg = HASH_SHA1;
+		seed_len = HASH_SIZE_SHA1;
+	}
+	seed = chunk_create(seed_buf, seed_len);
+
+	while (*trials < SECRET_KEY_TRIALS_MAX)
+	{
+		(*trials)++;
+
+		if (!rng->get_bytes(rng, seed_len, seed_buf))
+		{
+			return FALSE;
+		}
+		f = create_vector_from_seed(this, alg, seed);
+		if (f == NULL)
+		{
+			return FALSE;
+		}
+		if (!rng->get_bytes(rng, seed_len, seed_buf))
+		{
+			free(f);
+			return FALSE;
+		}
+		g = create_vector_from_seed(this, alg, seed);
+		if (g == NULL)
+		{
+			free(f);
+			return FALSE;
+		}
+
+		/* Compute 2g + 1 */
+		for (i = 0; i < n; i++)
+		{
+			g[i] *= 2;
+		}
+		g[0] += 1;
+
+		l2_norm = wrapped_product(f, f, n, 0) +  wrapped_product(g, g, n, 0);
+		nks = nks_norm(f, g, n, this->set->kappa);
+
+		switch (this->set->id)
+		{
+			case BLISS_I:
+			case BLISS_II:
+			case BLISS_III:
+			case BLISS_IV:
+				DBG2(DBG_LIB, "l2 norm of s1||s2: %d, Nk(S): %u (%u max)",
+							   l2_norm, nks, this->set->nks_max);
+				if (nks < this->set->nks_max)
+				{
+					*s1 = f;
+					*s2 = g;
+					return TRUE;
+				}
+				free(f);
+				free(g);
+				break;
+			case BLISS_B_I:
+			case BLISS_B_II:
+			case BLISS_B_III:
+			case BLISS_B_IV:
+				DBG2(DBG_LIB, "l2 norm of s1||s2: %d, Nk(S): %u",
+							   l2_norm, nks);
+				*s1 = f;
+				*s2 = g;
+				return TRUE;
+		}
+	}
+
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args)
+{
+	private_bliss_private_key_t *this;
+	u_int key_size = BLISS_B_I;
+	int i, n, trials = 0;
+	uint32_t *S1, *S2, *a;
+	uint16_t q;
+	bool success = FALSE;
+	bliss_param_set_t *set;
+	bliss_fft_t *fft;
+	rng_t *rng;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_KEY_SIZE:
+				key_size = va_arg(args, u_int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (lib->settings->get_bool(lib->settings, "%s.plugins.bliss.use_bliss_b",
+								TRUE, lib->ns))
+	{
+		switch (key_size)
+		{
+			case BLISS_I:
+				key_size = BLISS_B_I;
+				break;
+			case BLISS_II:
+				key_size = BLISS_B_II;
+				break;
+			case BLISS_III:
+				key_size = BLISS_B_III;
+				break;
+			case BLISS_IV:
+				key_size = BLISS_B_IV;
+				break;
+			default:
+				break;
+		}
+	}
+
+	/* Only BLISS or BLISS-B types I, III, or IV are currently supported */
+	set = bliss_param_set_get_by_id(key_size);
+	if (!set)
+	{
+		DBG1(DBG_LIB, "BLISS parameter set %u not supported", key_size);
+		return NULL;
+	}
+
+	/* Some shortcuts for often used variables */
+	n = set->n;
+	q = set->q;
+
+	if (set->fft_params->n != n || set->fft_params->q != q)
+	{
+		DBG1(DBG_LIB, "FFT parameters do not match BLISS parameters");
+		return NULL;
+	}
+	this = bliss_private_key_create_empty();
+	this->set = set;
+
+	/* We derive the public key from the private key using the FFT */
+	fft = bliss_fft_create(set->fft_params);
+
+	/* Some vectors needed to derive the publi key */
+	S1 = malloc(n * sizeof(uint32_t));
+	S2 = malloc(n * sizeof(uint32_t));
+	a  = malloc(n * sizeof(uint32_t));
+	this->A = malloc(n * sizeof(uint32_t));
+
+	/* Instantiate a true random generator */
+	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+
+	/* Loop until we have an invertible polynomial s1 */
+	do
+	{
+		if (!create_secret(this, rng, &this->s1, &this->s2, &trials))
+		{
+			break;
+		}
+
+		/* Convert signed arrays to unsigned arrays before FFT */
+		for (i = 0; i < n; i++)
+		{
+			S1[i] = (this->s1[i] < 0) ? this->s1[i] + q :  this->s1[i];
+			S2[i] = (this->s2[i] > 0) ? q - this->s2[i] : -this->s2[i];
+		}
+		fft->transform(fft, S1, S1, FALSE);
+		fft->transform(fft, S2, S2, FALSE);
+
+		success = TRUE;
+		for (i = 0; i < n; i++)
+		{
+			if (S1[i] == 0)
+			{
+				DBG1(DBG_LIB, "S1[%d] is zero - s1 is not invertible", i);
+				free(this->s1);
+				free(this->s2);
+				this->s1 = NULL;
+				this->s2 = NULL;
+				success = FALSE;
+				break;
+			}
+			this->A[i] = invert(S1[i], q);
+			this->A[i] = (S2[i] * this->A[i]) % q;
+		}
+	}
+	while (!success && trials < SECRET_KEY_TRIALS_MAX);
+
+	DBG1(DBG_LIB, "secret key generation %s after %d trial%s",
+		 success ? "succeeded" : "failed", trials, (trials == 1) ? "" : "s");
+
+	if (success)
+	{
+		fft->transform(fft, this->A, a, TRUE);
+
+		DBG4(DBG_LIB, "   i   f   g     a     F     G     A");
+		for (i = 0; i < n; i++)
+		{
+			DBG4(DBG_LIB, "%4d %3d %3d %5u %5u %5u %5u",
+				 i, this->s1[i], this->s2[i], a[i], S1[i], S2[i], this->A[i]);
+		}
+	}
+	else
+	{
+		destroy(this);
+	}
+
+	/* Cleanup */
+	fft->destroy(fft);
+	rng->destroy(rng);
+	memwipe(S1, n * sizeof(uint32_t));
+	memwipe(S2, n * sizeof(uint32_t));
+	free(S1);
+	free(S2);
+	free(a);
+
+	return success ? &this->public : NULL;
+}
+
+/**
+ * ASN.1 definition of a BLISS private key
+ */
+static const asn1Object_t privkeyObjects[] = {
+	{ 0, "BLISSPrivateKey",		ASN1_SEQUENCE,   ASN1_NONE }, /*  0 */
+	{ 1,   "keyType",			ASN1_OID,        ASN1_BODY }, /*  1 */
+	{ 1,   "public",			ASN1_BIT_STRING, ASN1_BODY }, /*  2 */
+	{ 1,   "secret1",			ASN1_BIT_STRING, ASN1_BODY }, /*  3 */
+	{ 1,   "secret2",			ASN1_BIT_STRING, ASN1_BODY }, /*  4 */
+	{ 0, "exit",				ASN1_EOC,        ASN1_EXIT }
+};
+#define PRIV_KEY_TYPE			1
+#define PRIV_KEY_PUBLIC			2
+#define PRIV_KEY_SECRET1		3
+#define PRIV_KEY_SECRET2		4
+
+/**
+ * See header.
+ */
+bliss_private_key_t *bliss_private_key_load(key_type_t type, va_list args)
+{
+	private_bliss_private_key_t *this;
+	chunk_t key = chunk_empty, object;
+	bliss_bitpacker_t *packer;
+	asn1_parser_t *parser;
+	size_t s_bits = 0;
+	int8_t s, s_min = 0, s_max = 0;
+	uint32_t s_sign = 0x02, s_mask = 0xfffffffc, value;
+	bool success = FALSE;
+	int objectID, oid, i;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				key = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (key.len == 0)
+	{
+		return NULL;
+	}
+	this = bliss_private_key_create_empty();
+
+	parser = asn1_parser_create(privkeyObjects, key);
+	parser->set_flags(parser, FALSE, TRUE);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PRIV_KEY_TYPE:
+				oid = asn1_known_oid(object);
+				if (oid == OID_UNKNOWN)
+				{
+					goto end;
+				}
+				this->set = bliss_param_set_get_by_oid(oid);
+				if (this->set == NULL)
+				{
+					goto end;
+				}
+				if (lib->settings->get_bool(lib->settings,
+							"%s.plugins.bliss.use_bliss_b",TRUE, lib->ns))
+				{
+					switch (this->set->id)
+					{
+						case BLISS_I:
+							this->set = bliss_param_set_get_by_id(BLISS_B_I);
+							break;
+						case BLISS_III:
+							this->set = bliss_param_set_get_by_id(BLISS_B_III);
+							break;
+						case BLISS_IV:
+							this->set = bliss_param_set_get_by_id(BLISS_B_IV);
+							break;
+						default:
+							break;
+					}
+				}
+				if (this->set->non_zero2)
+				{
+					s_min = -2;
+					s_max =  2;
+					s_bits = 3;
+				}
+				else
+				{
+					s_min = -1;
+					s_max =  1;
+					s_bits = 2;
+				}
+				s_sign = 1 << (s_bits - 1);
+				s_mask = ((1 << (32 - s_bits)) - 1) << s_bits;
+				break;
+			case PRIV_KEY_PUBLIC:
+				if (!bliss_public_key_from_asn1(object, this->set, &this->A))
+				{
+					goto end;
+				}
+				break;
+			case PRIV_KEY_SECRET1:
+				if (object.len != 1 + (s_bits * this->set->n + 7)/8)
+				{
+					goto end;
+				}
+				this->s1 = malloc(this->set->n);
+
+				/* Skip unused bits octet */
+				object = chunk_skip(object, 1);
+				packer = bliss_bitpacker_create_from_data(object);
+				for (i = 0; i < this->set->n; i++)
+				{
+					packer->read_bits(packer, &value, s_bits);
+					s = (value & s_sign) ? value | s_mask : value;
+					if (s < s_min || s > s_max)
+					{
+						packer->destroy(packer);
+						goto end;
+					}
+					this->s1[i] = s;
+				}
+				packer->destroy(packer);
+				break;
+			case PRIV_KEY_SECRET2:
+				if (object.len != 1 + (s_bits * this->set->n + 7)/8)
+				{
+					goto end;
+				}
+				this->s2 = malloc(this->set->n);
+
+				/* Skip unused bits octet */
+				object = chunk_skip(object, 1);
+				packer = bliss_bitpacker_create_from_data(object);
+				for (i = 0; i < this->set->n; i++)
+				{
+					packer->read_bits(packer, &value, s_bits);
+					s = (value & s_sign) ? value | s_mask : value;
+					if (s < s_min || s > s_max)
+					{
+						packer->destroy(packer);
+						goto end;
+					}
+					this->s2[i] = 2 * s;
+					if (i == 0)
+					{
+						this->s2[0] += 1;
+					}
+				}
+				packer->destroy(packer);
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (!success)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.h b/src/libstrongswan/plugins/bliss/bliss_private_key.h
new file mode 100644
index 000000000..cb4ff807a
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_private_key bliss_private_key
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_PRIVATE_KEY_H_
+#define BLISS_PRIVATE_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+typedef struct bliss_private_key_t bliss_private_key_t;
+
+/**
+ * Private_key_t implementation of BLISS signature algorithm.
+ */
+struct bliss_private_key_t {
+
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t key;
+};
+
+/**
+ * Generate a BLISS private key.
+ *
+ * Accepts the BUILD_KEY_SIZE argument.
+ *
+ * @param type		type of the key, must be KEY_BLISS
+ * @param args		builder_part_t argument list
+ * @return 			generated key, NULL on failure
+ */
+bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args);
+
+/**
+ * Load a BLISS private key.
+ *
+ * Accepts BUILD_BLISS_* components.
+ *
+ * @param type		type of the key, must be KEY_BLISS
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+bliss_private_key_t *bliss_private_key_load(key_type_t type, va_list args);
+
+#endif /** BLISS_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c
new file mode 100644
index 000000000..0175b0f8e
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c
@@ -0,0 +1,515 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_public_key.h"
+#include "bliss_signature.h"
+#include "bliss_bitpacker.h"
+#include "bliss_fft.h"
+#include "bliss_utils.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+
+typedef struct private_bliss_public_key_t private_bliss_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_bliss_public_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	bliss_public_key_t public;
+
+	/**
+	 * BLISS signature parameter set
+	 */
+	bliss_param_set_t *set;
+
+	/**
+	 * NTT of BLISS public key a (coefficients of polynomial (2g + 1)/f)
+	 */
+	uint32_t *A;
+
+	/**
+	 * reference counter
+	 */
+	refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_bliss_public_key_t *this)
+{
+	return KEY_BLISS;
+}
+
+/**
+ * Verify a BLISS signature based on a SHA-512 hash
+ */
+static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
+						 chunk_t data, chunk_t signature)
+{
+	int i, n;
+	int32_t *z1, *u;
+	int16_t *ud, *z2d;
+	uint16_t q, q2, p, *c_indices, *indices;
+	uint32_t *az;
+	uint8_t data_hash_buf[HASH_SIZE_SHA512];
+	chunk_t data_hash;
+	hasher_t *hasher;
+	bliss_fft_t *fft;
+	bliss_signature_t *sig;
+	bool success = FALSE;
+
+	/* Create data hash */
+	hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!hasher )
+	{
+		return FALSE;
+	}
+	data_hash = chunk_create(data_hash_buf, hasher->get_hash_size(hasher));
+
+	if (!hasher->get_hash(hasher, data, data_hash_buf))
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+
+	/* Create SHA512 hasher for c_indices oracle */
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+
+	sig = bliss_signature_create_from_data(this->set, signature);
+	if (!sig)
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+	sig->get_parameters(sig, &z1, &z2d, &c_indices);
+
+	if (!bliss_utils_check_norms(this->set, z1, z2d))
+	{
+		hasher->destroy(hasher);
+		sig->destroy(sig);
+		return FALSE;
+	}
+
+	/* Initialize a couple of needed variables */
+	n  = this->set->n;
+	q  = this->set->q;
+	p  = this->set->p;
+	q2 = 2 * q;
+	az  = malloc(n * sizeof(uint32_t));
+	u   = malloc(n * sizeof(int32_t));
+	ud  = malloc(n * sizeof(int16_t));
+	indices   = malloc(this->set->kappa * sizeof(uint16_t));
+
+	for (i = 0; i < n; i++)
+	{
+		az[i] = z1[i] < 0 ? q + z1[i] : z1[i];
+	}
+	fft = bliss_fft_create(this->set->fft_params);
+	fft->transform(fft, az, az, FALSE);
+
+	for (i = 0; i < n; i++)
+	{
+		az[i] = (this->A[i] * az[i]) % q;
+	}
+	fft->transform(fft, az, az, TRUE);
+
+	for (i = 0; i < n; i++)
+	{
+		u[i] = (2 * this->set->q2_inv * az[i]) % q2;
+	}
+
+	for (i = 0; i < this->set->kappa; i++)
+	{
+		u[c_indices[i]] = (u[c_indices[i]] + q * this->set->q2_inv) % q2;
+	}
+	bliss_utils_round_and_drop(this->set, u, ud);
+
+	for (i = 0; i < n; i++)
+	{
+		ud[i] += z2d[i];
+		if (ud[i] < 0)
+		{
+			ud[i] += p;
+		}
+		else if (ud[i] >= p)
+		{
+			ud[i] -= p;
+		}
+	}
+
+	/* Detailed debugging information */
+	DBG3(DBG_LIB, "  i    u[i]  ud[i] z2d[i]");
+	for (i = 0; i < n; i++)
+	{
+		DBG3(DBG_LIB, "%3d  %6d   %4d  %4d", i, u[i], ud[i], z2d[i]);
+	}
+
+	if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa,
+								indices))
+	{
+		goto end;
+	}
+
+	for (i = 0; i < this->set->kappa; i++)
+	{
+		if (indices[i] != c_indices[i])
+		{
+			DBG1(DBG_LIB, "signature verification failed");
+			goto end;
+		}
+	}
+	success = TRUE;
+
+end:
+	/* cleanup */
+	hasher->destroy(hasher);
+	sig->destroy(sig);
+	fft->destroy(fft);
+	free(az);
+	free(u);
+	free(ud);
+	free(indices);
+
+	return success;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_bliss_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
+{
+	switch (scheme)
+	{
+		case SIGN_BLISS_WITH_SHA256:
+			return verify_bliss(this, HASH_SHA256, data, signature);
+		case SIGN_BLISS_WITH_SHA384:
+			return verify_bliss(this, HASH_SHA384, data, signature);
+		case SIGN_BLISS_WITH_SHA512:
+			return verify_bliss(this, HASH_SHA512, data, signature);
+		default:
+			DBG1(DBG_LIB, "signature scheme %N not supported by BLISS",
+				 signature_scheme_names, scheme);
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, encrypt_, bool,
+	private_bliss_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
+{
+	DBG1(DBG_LIB, "encryption scheme %N not supported",
+				   encryption_scheme_names, scheme);
+	return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_bliss_public_key_t *this)
+{
+	return this->set->strength;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_bliss_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	bool success = TRUE;
+
+	*encoding = bliss_public_key_info_encode(this->set->oid, this->A, this->set);
+
+	if (type != PUBKEY_SPKI_ASN1_DER)
+	{
+		chunk_t asn1_encoding = *encoding;
+
+		success = lib->encoding->encode(lib->encoding, type,
+						NULL, encoding, CRED_PART_BLISS_PUB_ASN1_DER,
+						asn1_encoding, CRED_PART_END);
+		chunk_clear(&asn1_encoding);
+	}
+	return success;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_bliss_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	bool success;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	success = bliss_public_key_fingerprint(this->set->oid, this->A,
+										   this->set, type, fp);
+	if (success)
+	{
+		lib->encoding->cache(lib->encoding, type, this, *fp);
+	}
+	return success;
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_bliss_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_bliss_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		free(this->A);
+		free(this);
+	}
+}
+
+/**
+ * ASN.1 definition of a BLISS public key
+ */
+static const asn1Object_t pubkeyObjects[] = {
+	{ 0, "subjectPublicKeyInfo",ASN1_SEQUENCE,		ASN1_OBJ  }, /*  0 */
+	{ 1,   "algorithm",			ASN1_EOC,			ASN1_RAW  }, /*  1 */
+	{ 1,   "subjectPublicKey",	ASN1_BIT_STRING,	ASN1_BODY }, /*  2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT }
+};
+#define BLISS_SUBJECT_PUBLIC_KEY_ALGORITHM	1
+#define BLISS_SUBJECT_PUBLIC_KEY			2
+
+/**
+ * See header.
+ */
+bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args)
+{
+	private_bliss_public_key_t *this;
+	chunk_t blob = chunk_empty, object, param;
+	asn1_parser_t *parser;
+	bool success = FALSE;
+	int objectID, oid;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (blob.len == 0)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
+
+	parser = asn1_parser_create(pubkeyObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case BLISS_SUBJECT_PUBLIC_KEY_ALGORITHM:
+			{
+				oid = asn1_parse_algorithmIdentifier(object,
+								parser->get_level(parser)+1, &param);
+				if (oid != OID_BLISS_PUBLICKEY)
+				{
+					goto end;
+				}
+				if (!asn1_parse_simple_object(&param, ASN1_OID,
+								parser->get_level(parser)+3, "blissKeyType"))
+				{
+					goto end;
+				}
+				oid = asn1_known_oid(param);
+				if (oid == OID_UNKNOWN)
+				{
+					goto end;
+				}
+				this->set = bliss_param_set_get_by_oid(oid);
+				if (this->set == NULL)
+				{
+					goto end;
+				}
+				break;
+			}
+			case BLISS_SUBJECT_PUBLIC_KEY:
+				if (!bliss_public_key_from_asn1(object, this->set, &this->A))
+				{
+					goto end;
+				}
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (!success)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set,
+								uint32_t **pubkey)
+{
+	bliss_bitpacker_t *packer;
+	uint32_t coefficient;
+	uint16_t needed_bits;
+	int i;
+
+	/* skip initial bit string octet defining unused bits */
+	object = chunk_skip(object, 1);
+
+	needed_bits = set->n * set->q_bits;
+
+	if (8 * object.len < needed_bits)
+	{
+		return FALSE;
+	}
+	*pubkey = malloc(set->n * sizeof(uint32_t));
+
+	packer = bliss_bitpacker_create_from_data(object);
+
+	for (i = 0; i < set->n; i++)
+	{
+		packer->read_bits(packer, &coefficient, set->q_bits);
+		if (coefficient >= set->q)
+		{
+			packer->destroy(packer);
+			return FALSE;
+		}
+		(*pubkey)[i] = coefficient;
+	}
+	packer->destroy(packer);
+
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set)
+{
+	bliss_bitpacker_t *packer;
+	chunk_t encoding;
+	int i;
+
+	packer = bliss_bitpacker_create(set->n * set->q_bits);
+
+	for (i = 0; i < set->n; i++)
+	{
+		packer->write_bits(packer, pubkey[i], set->q_bits);
+	}
+	encoding = packer->extract_buf(packer);
+	packer->destroy(packer);
+
+	return encoding;
+}
+
+/**
+ * See header.
+ */
+chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey,
+									 bliss_param_set_t *set)
+{
+	chunk_t encoding, pubkey_encoding;
+
+	pubkey_encoding = bliss_public_key_encode(pubkey, set);
+
+	encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_build_known_oid(OID_BLISS_PUBLICKEY),
+						asn1_build_known_oid(oid)),
+					asn1_bitstring("m", pubkey_encoding));
+
+	return encoding;
+}
+
+/**
+ * See header.
+ */
+bool bliss_public_key_fingerprint(int oid, uint32_t *pubkey,
+								  bliss_param_set_t *set,
+								  cred_encoding_type_t type, chunk_t *fp)
+{
+	hasher_t *hasher;
+	chunk_t key;
+
+	switch (type)
+	{
+		case KEYID_PUBKEY_SHA1:
+			key = bliss_public_key_encode(pubkey, set);
+			break;
+		case KEYID_PUBKEY_INFO_SHA1:
+			key = bliss_public_key_info_encode(oid, pubkey, set);
+			break;
+		default:
+			return FALSE;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher || !hasher->allocate_hash(hasher, key, fp))
+	{
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
+		DESTROY_IF(hasher);
+		free(key.ptr);
+
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	free(key.ptr);
+
+	return TRUE;
+}
+
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.h b/src/libstrongswan/plugins/bliss/bliss_public_key.h
new file mode 100644
index 000000000..cd8f231b2
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_public_key bliss_public_key
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_PUBLIC_KEY_H_
+#define BLISS_PUBLIC_KEY_H_
+
+#include "bliss_param_set.h"
+
+#include <credentials/builder.h>
+#include <credentials/cred_encoding.h>
+#include <credentials/keys/public_key.h>
+
+typedef struct bliss_public_key_t bliss_public_key_t;
+
+/**
+ * public_key_t implementation of BLISS signature algorithm
+ */
+struct bliss_public_key_t {
+
+	/**
+	 * Implements the public_key_t interface
+	 */
+	public_key_t key;
+};
+
+/**
+ * Load a BLISS public key.
+ *
+ * Accepts BUILD_BLISS_* components.
+ *
+ * @param type		type of the key, must be KEY_BLISS
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args);
+
+/* The following functions are shared with the bliss_private_key class */
+
+/**
+ * Parse an ASN.1 BIT STRING into an array of public key coefficients
+ *
+ * @param object	packed subjectPublicKey
+ * @param set		BLISS parameter set for public key vector
+ * @param pubkey	coefficients of public key vector
+ * @return			TRUE if parsing successful
+ */
+bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set,
+								uint32_t **pubkey);
+
+/**
+ * Encode a raw BLISS subjectPublicKey in ASN.1 DER format
+ *
+ * @param pubkey	coefficients of public key vector
+ * @param set		BLISS parameter set for the public key vector
+ * @result			ASN.1 encoded subjectPublicKey
+ */
+chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set);
+
+/**
+ * Encode a BLISS subjectPublicKeyInfo record in ASN.1 DER format
+ *
+ * @param oid		BLISS public key type OID
+ * @param pubkey	coefficients of public key vector
+ * @param set		BLISS parameter set for the public key vector
+ * @result			ASN.1 encoded subjectPublicKeyInfo record
+ */
+chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey,
+									 bliss_param_set_t *set);
+
+/**
+ * Generate a BLISS public key fingerprint
+ *
+ * @param oid		BLISS public key type OID
+ * @param pubkey	coefficients of public key vector
+ * @param set		BLISS parameter set for the public key vector
+ * @param type		type of fingerprint to be generated
+ * @param fp		generated fingerprint (must be freed by caller)
+ * @result			TRUE if generation was successful
+ */
+bool bliss_public_key_fingerprint(int oid, uint32_t *pubkey,
+								  bliss_param_set_t *set,
+								  cred_encoding_type_t type, chunk_t *fp);
+
+#endif /** BLISS_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_sampler.c b/src/libstrongswan/plugins/bliss/bliss_sampler.c
new file mode 100644
index 000000000..fa45a2fac
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_sampler.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_sampler.h"
+
+typedef struct private_bliss_sampler_t private_bliss_sampler_t;
+
+#include <crypto/mgf1/mgf1_bitspender.h>
+
+/**
+ * Private data of a bliss_sampler_t object.
+ */
+struct private_bliss_sampler_t {
+
+	/**
+	 * Public interface.
+	 */
+	bliss_sampler_t public;
+
+	/**
+	 * BLISS parameter the rejection sampling is to be based on
+	 */
+	bliss_param_set_t *set;
+
+	/**
+	 * Bitspender used for random rejection sampling
+	 */
+	mgf1_bitspender_t *bitspender;
+
+};
+
+METHOD(bliss_sampler_t, bernoulli_exp, bool,
+	private_bliss_sampler_t *this, uint32_t x, bool *accepted)
+{
+	uint32_t x_mask;
+	uint8_t *c, u;
+	int i;
+
+	x_mask = 1 << (this->set->c_rows - 1);
+	c = this->set->c;
+	c += (this->set->c_rows - 1) * this->set->c_cols;
+
+	while (x_mask > 0)
+	{
+		if (x & x_mask)
+		{
+			for (i = 0; i < this->set->c_cols; i++)
+			{
+				if (!this->bitspender->get_byte(this->bitspender, &u))
+				{
+					return FALSE;
+				}
+				if (u < c[i])
+				{
+					break;
+				}
+				else if (u > c[i])
+				{
+					*accepted = FALSE;
+					return TRUE;
+				}
+			}
+		}
+		x_mask >>= 1;
+		c -= this->set->c_cols;
+	}
+
+	*accepted = TRUE;
+	return TRUE;
+}
+
+METHOD(bliss_sampler_t, bernoulli_cosh, bool,
+	private_bliss_sampler_t *this, int32_t x, bool *accepted)
+{
+	uint32_t u;
+
+	x = 2 * (x < 0 ? -x : x);
+
+	while (TRUE)
+	{
+		if (!bernoulli_exp(this, x, accepted))
+		{
+			return FALSE;
+		}
+		if (*accepted)
+		{
+			return TRUE;
+		}
+		if (!this->bitspender->get_bits(this->bitspender, 1, &u))
+		{
+			return FALSE;
+		}
+		if (u)
+		{
+			continue;
+		}
+		if (!bernoulli_exp(this, x, accepted))
+		{
+			return FALSE;
+		}
+		if (!(*accepted))
+		{
+			return TRUE;
+		}
+	}
+}
+
+#define MAX_SAMPLE_INDEX	16
+
+METHOD(bliss_sampler_t, pos_binary, bool,
+	private_bliss_sampler_t *this, uint32_t *x)
+{
+	uint32_t u, i;
+
+	while (TRUE)
+	{
+		for (i = 0; i <= MAX_SAMPLE_INDEX; i++)
+		{
+			if (!this->bitspender->get_bits(this->bitspender,
+											i ? (2*i - 1) : 1, &u))
+			{
+				return FALSE;
+			}
+			if (u == 0)
+			{
+				*x = i;
+				return TRUE;
+			}
+			if ((u >> 1) != 0)
+			{
+				break;
+			}
+		}
+		if (i > MAX_SAMPLE_INDEX)
+		{
+			return FALSE;
+		}
+	}
+}
+
+METHOD(bliss_sampler_t, gaussian, bool,
+	private_bliss_sampler_t *this, int32_t *z)
+{
+	uint32_t u, x, y, z_pos;
+	bool accepted;
+
+	while (TRUE)
+	{
+		if (!pos_binary(this, &x))
+		{
+			return FALSE;
+		}
+
+		do
+		{
+			if (!this->bitspender->get_bits(this->bitspender,
+											this->set->k_sigma_bits, &y))
+			{
+				return FALSE;
+			}
+		}
+		while (y >= this->set->k_sigma);
+
+		if (!bernoulli_exp(this, y * (y + 2*this->set->k_sigma * x), &accepted))
+		{
+			return FALSE;
+		}
+		if (accepted)
+		{
+			if (!this->bitspender->get_bits(this->bitspender, 1, &u))
+			{
+				return FALSE;
+			}
+			if (x || y || u)
+			{ 
+				break;
+			}
+		}
+	}
+
+	z_pos = this->set->k_sigma * x + y;
+	*z = u ? z_pos : -z_pos;
+
+	return TRUE;
+}
+
+METHOD(bliss_sampler_t, sign, bool,
+	private_bliss_sampler_t *this, bool *positive)
+{
+	uint32_t u;
+
+	if (!this->bitspender->get_bits(this->bitspender, 1, &u))
+	{
+		return FALSE;
+	}
+	*positive = u;
+
+	return TRUE;
+}
+
+METHOD(bliss_sampler_t, destroy, void,
+	private_bliss_sampler_t *this)
+{
+	this->bitspender->destroy(this->bitspender);
+	free(this);
+}
+
+
+/**
+ * See header.
+ */
+bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed,
+									  bliss_param_set_t *set)
+{
+	private_bliss_sampler_t *this;
+	mgf1_bitspender_t *bitspender;
+
+	bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+	if (!bitspender)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.bernoulli_exp = _bernoulli_exp,
+			.bernoulli_cosh = _bernoulli_cosh,
+			.pos_binary = _pos_binary,
+			.gaussian = _gaussian,
+			.sign = _sign,
+			.destroy = _destroy,
+		},
+		.set = set,
+		.bitspender = bitspender,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_sampler.h b/src/libstrongswan/plugins/bliss/bliss_sampler.h
new file mode 100644
index 000000000..2c75d4480
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_sampler.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_sampler bliss_sampler
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_SAMPLER_H_
+#define BLISS_SAMPLER_H_
+
+typedef struct bliss_sampler_t bliss_sampler_t;
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation various rejection sampling algorithms.
+ */
+struct bliss_sampler_t {
+
+	/**
+	 * Sample according to exp(-x/(2*sigma^2))
+	 *
+	 * @param x			Value to be sampled
+	 * @param accepted	TRUE if value is accepted, FALSE if rejected
+	 * @result			TRUE if sampling was successful
+	 */
+	bool (*bernoulli_exp)(bliss_sampler_t *this, uint32_t x, bool *accepted);
+
+	/**
+	 * Sample according to 1/cosh(x/sigma^2)
+	 *
+	 * @param x			Value to be sampled
+	 * @param accepted	TRUE if value is accepted, FALSE if rejected
+	 * @result			TRUE if sampling was successful
+	 */
+	bool (*bernoulli_cosh)(bliss_sampler_t *this, int32_t x, bool *accepted);
+
+	/**
+	 * Sample according to 2^(-x^2) for positive x
+	 *
+	 * @param x			Generated value
+	 * @result			TRUE if sampling was successful
+	 */
+	bool (*pos_binary)(bliss_sampler_t *this, uint32_t *x);
+
+	/**
+	 * Sample according to the Gaussian distribution exp(-x^2/(2*sigma^2))
+	 *
+	 * @param z			Generated value with Gaussian distribution
+	 * @result			TRUE if sampling was successful
+	 */
+	bool (*gaussian)(bliss_sampler_t *this, int32_t *z);
+
+	/**
+	 * Sample the sign according to the binary distribution
+	 *
+	 * @param positive	TRUE if positive
+	 * @result			TRUE if sampling was successful
+	 */
+	bool (*sign)(bliss_sampler_t *this, bool *positive);
+
+	/**
+	 * Destroy bliss_sampler_t object
+	 */
+	void (*destroy)(bliss_sampler_t *this);
+};
+
+/**
+ * Create a bliss_sampler_t object.
+ *
+ * @param alg		Hash algorithm to be used for the internal bitspender
+ * @param seed		Seed used to initialize the internal bitspender
+ * @param set		BLISS parameter set to be used
+ */
+bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed,
+									  bliss_param_set_t *set);
+
+#endif /** BLISS_SAMPLER_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_signature.c b/src/libstrongswan/plugins/bliss/bliss_signature.c
new file mode 100644
index 000000000..e603da399
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_signature.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_signature.h"
+#include "bliss_bitpacker.h"
+#include "bliss_huffman_coder.h"
+
+
+typedef struct private_bliss_signature_t private_bliss_signature_t;
+
+/**
+ * Private data of a bliss_signature_t object.
+ */
+struct private_bliss_signature_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	bliss_signature_t public;
+
+	/**
+	 * BLISS signature parameter set
+	 */
+	bliss_param_set_t *set;
+
+	/**
+	 * BLISS signature vector z1 of size n
+	 */
+	int32_t *z1;
+
+	/**
+	 * BLISS signature vector z2d of size n
+	 */
+	int16_t *z2d;
+
+	/**
+	 * Indices of sparse BLISS challenge vector c of size kappa
+	 */
+	uint16_t *c_indices;
+
+};
+
+METHOD(bliss_signature_t, get_encoding, chunk_t,
+	private_bliss_signature_t *this)
+{
+	bliss_bitpacker_t *packer;
+	bliss_huffman_coder_t *coder;
+	bliss_huffman_code_t *code;
+	int32_t z1;
+	uint32_t z1_sign;
+	uint16_t z2d_bits;
+	chunk_t encoding = chunk_empty;
+	int i;
+
+	z2d_bits = this->set->z1_bits - this->set->d;
+
+	/* Get Huffman code for this BLISS parameter set */
+	code = bliss_huffman_code_get_by_id(this->set->id);
+	if (!code)
+	{
+		DBG1(DBG_LIB, "no Huffman code found for parameter set %N",
+			 bliss_param_set_id_names, this->set->id);
+		return chunk_empty;
+	}
+
+	packer = bliss_bitpacker_create(this->set->n * this->set->z1_bits +
+									this->set->n * z2d_bits +
+									this->set->kappa * this->set->n_bits);
+	coder = bliss_huffman_coder_create(code, packer);
+
+	for (i = 0; i < this->set->n; i++)
+	{
+		/* determine and remove the sign of z1[i]*/
+		z1_sign = this->z1[i] < 0;
+		z1 = z1_sign ? -this->z1[i] : this->z1[i];
+
+		if (!packer->write_bits(packer, z1_sign, 1) ||
+			!packer->write_bits(packer, z1 & 0xff, 8) ||
+			!coder->encode(coder, z1 >> 8, this->z2d[i]))
+		{
+			goto end;
+		}
+	}
+	for (i = 0; i < this->set->kappa; i++)
+	{
+		if (!packer->write_bits(packer, this->c_indices[i], this->set->n_bits))
+		{
+			goto end;
+		}
+	}
+	encoding = packer->extract_buf(packer);
+
+	DBG2(DBG_LIB, "efficiency of Huffman coder is %6.4f bits/tuple (%u bits)",
+				   coder->get_bits(coder)/(double)(this->set->n), 
+				   coder->get_bits(coder));
+	DBG2(DBG_LIB, "generated BLISS signature (%u bits encoded in %u bytes)",
+				   packer->get_bits(packer), encoding.len);
+
+	end:
+	coder->destroy(coder);
+	packer->destroy(packer);
+	return encoding;
+}
+
+METHOD(bliss_signature_t, get_parameters, void,
+	private_bliss_signature_t *this, int32_t **z1, int16_t **z2d,
+	uint16_t **c_indices)
+{
+	*z1 = this->z1;
+	*z2d = this->z2d;
+	*c_indices = this->c_indices;
+}
+
+METHOD(bliss_signature_t, destroy, void,
+	private_bliss_signature_t *this)
+{
+	free(this->z1);
+	free(this->z2d);
+	free(this->c_indices);
+	free(this);
+}
+
+/**
+ * See header.
+ */
+bliss_signature_t *bliss_signature_create(bliss_param_set_t *set)
+{
+	private_bliss_signature_t *this;
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.get_parameters = _get_parameters,
+			.destroy = _destroy,
+		},
+		.set = set,
+		.z1  = malloc(set->n * sizeof(int32_t)),
+		.z2d = malloc(set->n * sizeof(int16_t)),
+		.c_indices = malloc(set->n * sizeof(uint16_t)),
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+bliss_signature_t *bliss_signature_create_from_data(bliss_param_set_t *set,
+													chunk_t encoding)
+{
+	private_bliss_signature_t *this;
+	bliss_bitpacker_t *packer;
+	bliss_huffman_coder_t *coder;
+	bliss_huffman_code_t *code;
+	uint32_t z1_sign, z1_low, value;
+	int32_t z1;
+	int16_t z2;
+	int i;
+
+	/* Get Huffman code for this BLISS parameter set */
+	code = bliss_huffman_code_get_by_id(set->id);
+	if (!code)
+	{
+		DBG1(DBG_LIB, "no Huffman code found for parameter set %N",
+			 bliss_param_set_id_names, set->id);
+		return NULL;
+	}
+
+	if (encoding.len == 0)
+	{
+		DBG1(DBG_LIB, "zero length BLISS signature");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.get_parameters = _get_parameters,
+			.destroy = _destroy,
+		},
+		.set = set,
+		.z1  = malloc(set->n * sizeof(int32_t)),
+		.z2d = malloc(set->n * sizeof(int16_t)),
+		.c_indices = malloc(set->n * sizeof(uint16_t)),
+	);
+
+	packer = bliss_bitpacker_create_from_data(encoding);
+	coder = bliss_huffman_coder_create(code, packer);
+
+	for (i = 0; i < set->n; i++)
+	{
+		if (!packer->read_bits(packer, &z1_sign, 1) ||
+			!packer->read_bits(packer, &z1_low, 8) ||
+			!coder->decode(coder, &z1, &z2))
+		{
+			DBG1(DBG_LIB, "truncated BLISS signature encoding of z1/z2");
+			coder->destroy(coder);
+			packer->destroy(packer);
+			destroy(this);
+			return NULL;
+		}
+		z1 = (z1 << 8) + z1_low;
+		this->z1[i] = z1_sign ? -z1 : z1;
+		this->z2d[i] = z2;
+	}
+	coder->destroy(coder);
+
+	for (i = 0; i < set->kappa; i++)
+	{
+		if (!packer->read_bits(packer, &value, set->n_bits))
+		{
+			DBG1(DBG_LIB, "truncated BLISS signature encoding of c_indices");
+			packer->destroy(packer);
+			destroy(this);
+			return NULL;
+		}
+		this->c_indices[i] = value;
+	}
+	packer->destroy(packer);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_signature.h b/src/libstrongswan/plugins/bliss/bliss_signature.h
new file mode 100644
index 000000000..d37f5398b
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_signature.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_signature bliss_signature
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_SIGNATURE_H_
+#define BLISS_SIGNATURE_H_
+
+typedef struct bliss_signature_t bliss_signature_t;
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+
+/**
+ * Public interface of BLISS signature object
+ */
+struct bliss_signature_t {
+
+	/**
+	 * Get compressed binary encoding of BLISS signature
+	 *
+	 * @result			binary encoding of BLISS signature
+	 */
+	chunk_t (*get_encoding)(bliss_signature_t *this);
+
+	/**
+	 * Get signature parameters extracted from compressd binary encoding
+	 *
+	 * @param z1		signature vector z1 of size n
+	 * @param z2d		signature vector z2d of size n
+	 * @param c_indices	indices of sparse binary challenge vector of size kappa
+	 */
+	void (*get_parameters)(bliss_signature_t *this, int32_t **z1, int16_t **z2d,
+						   uint16_t **c_indices);
+
+	/**
+	 * Destroy bliss_signature_t object
+	 */
+	void (*destroy)(bliss_signature_t *this);
+
+};
+
+/**
+ * Create a BLISS signature object.
+ *
+ * @param set			BLISS parameter set
+ */
+bliss_signature_t *bliss_signature_create(bliss_param_set_t *set);
+
+/**
+ * Create a BLISS signature object from encoding.
+ *
+ * @param set			BLISS parameter set
+ * @param encoding		binary signature encoding
+ */
+bliss_signature_t *bliss_signature_create_from_data(bliss_param_set_t *set,
+													chunk_t encoding);
+
+#endif /** BLISS_SIGNATURE_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c
new file mode 100644
index 000000000..5a069989c
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_utils.h"
+
+#include <asn1/asn1.h>
+#include <crypto/hashers/hasher.h>
+#include <utils/debug.h>
+
+/**
+ * See header.
+ */
+int32_t bliss_utils_scalar_product(int32_t *x, int32_t *y, int n)
+{
+	int32_t product = 0;
+	int i;
+
+	for (i = 0; i < n; i++)
+	{
+		product += x[i] * y[i];
+	}
+
+	return product;
+}
+
+/**
+ * See header.
+ */
+void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd)
+{
+	int32_t factor;
+	int i;
+
+	factor = 1 << set->d;
+
+	for (i = 0; i < set->n; i++)
+	{
+		xd[i] = ((x[i] + (factor >> 1)) / factor) % set->p;
+	}
+}
+
+/**
+ * See header.
+ */
+bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
+							int n, uint16_t kappa, uint16_t *c_indices)
+{
+	int i, j;
+	uint64_t extra_bits;
+	uint16_t index, rounds = 0;
+	uint8_t hash[HASH_SIZE_SHA512], un16_buf[2];
+	chunk_t un16 = { un16_buf, 2 };
+	bool index_taken[n];
+
+	while (TRUE)
+	{
+		if (!hasher->get_hash(hasher, data_hash, NULL))
+		{
+			return FALSE;
+		}
+
+		for (i = 0; i < n; i++)
+		{
+			htoun16(un16_buf, ud[i]);
+			if (!hasher->get_hash(hasher, un16, NULL))
+			{
+				return FALSE;
+			}
+			index_taken[i] = FALSE;
+		}
+
+		htoun16(un16_buf, rounds++);
+		if (!hasher->get_hash(hasher, un16, hash))
+		{
+			return FALSE;
+		}
+
+		extra_bits = untoh64(hash + sizeof(hash) - sizeof(uint64_t));
+
+		for (i = 0, j = 0; j < sizeof(hash); j++)
+		{
+			index = 2 * (uint16_t)hash[i] + (extra_bits & 1);
+			if (!index_taken[index])
+			{
+				c_indices[i++] = index;
+				index_taken[index] = TRUE;
+			}
+			if (i == kappa)
+			{
+				return TRUE;
+			}
+		}
+	}
+}
+
+/**
+ * See header.
+ */
+bool bliss_utils_check_norms(bliss_param_set_t *set, int32_t *z1, int16_t *z2d)
+{
+	int32_t z2ds[set->n];
+	int32_t z1_min, z1_max, norm;
+	int16_t z2d_min, z2d_max;
+	int i;
+
+	/* some statistics on the values of z1 and z2d */
+	z1_min  = z1_max  = z1[0];
+	z2d_min = z2d_max = z2d[0];
+
+	for (i = 1; i < set->n; i++)
+	{
+		if (z1[i] < z1_min)
+		{
+			z1_min = z1[i];
+		}
+		else if (z1[i] > z1_max)
+		{
+			z1_max = z1[i];
+		}
+		if (z2d[i] < z2d_min)
+		{
+			z2d_min = z2d[i];
+		}
+		else if (z2d[i] > z2d_max)
+		{
+			z2d_max = z2d[i];
+		}
+	}
+	DBG2(DBG_LIB, "z1 = %d..%d, z2d = %d..%d", z1_min, z1_max, z2d_min, z2d_max);
+
+	/* Restriction on infinite norm */
+	for (i = 0; i < set->n; i++)
+	{
+		z2ds[i] = (1 << set->d) * z2d[i];
+
+		if (z1[i] >=  set->B_inf || z2ds[i] >=  set->B_inf ||
+			z1[i] <= -set->B_inf || z2ds[i] <= -set->B_inf)
+		{
+			DBG2(DBG_LIB, "signature rejected due to excessive infinite norm");
+			return FALSE;
+		}
+	}
+
+	/* Restriction on l2-norm */
+	norm = bliss_utils_scalar_product(z1, z1, set->n) +
+		   bliss_utils_scalar_product(z2ds, z2ds, set->n);
+
+	if (norm >= set->B_l2)
+	{
+		DBG2(DBG_LIB, "signature rejected due to excessive l2-norm");
+		return FALSE;
+	}
+
+	return TRUE;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.h b/src/libstrongswan/plugins/bliss/bliss_utils.h
new file mode 100644
index 000000000..063fd91c8
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_utils bliss_utils
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_UTILS_H_
+#define BLISS_UTILS_H_
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+
+/**
+ * Compute the scalar product of two vectors of size n
+ *
+ * @param x			input vector of size n
+ * @param y			input vector of size n
+ * @param n			size of input vectors x and y
+ * @result			scalar product of x and y
+ */
+int32_t bliss_utils_scalar_product(int32_t *x, int32_t *y, int n);
+
+/**
+ * Drop d bits but round first
+ *
+ * @param set		BLISS parameter set
+ * @param x			input vector x of size n
+ * @param xd		rounded vector x with d bits dropped
+ */
+void bliss_utils_round_and_drop(bliss_param_set_t *set,	int32_t *x, int16_t *xd);
+
+/**
+ * Generate the binary challenge vector c as an array of kappa indices
+ *
+ * @param hasher	hasher used as an oracle
+ * @param data_hash	hash of the data to be signed
+ * @param ud		input vector ud of size n
+ * @param n			size of input vector ud
+ * @param kappa		parameter kappa
+ * @param c_indices	indexes of non-zero challenge coefficients
+ */
+bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
+							int n, uint16_t kappa, uint16_t *c_indices);
+
+/**
+ * Check the infinity and l2 norms of the vectors z1 and z2d << d
+ *
+ * @param set	BLISS parameter set
+ * @param z1	input vector
+ * @param z2d	input vector
+ * @result		TRUE if infinite and l2 norms do not exceed boundaries
+ */
+bool bliss_utils_check_norms(bliss_param_set_t *set, int32_t *z1, int16_t *z2d);
+
+#endif /** BLISS_UTILS_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.am b/src/libstrongswan/plugins/bliss/tests/Makefile.am
new file mode 100644
index 000000000..bd87753f5
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.am
@@ -0,0 +1,27 @@
+TESTS = bliss_tests
+
+check_PROGRAMS = $(TESTS)
+
+bliss_tests_SOURCES = \
+	suites/test_bliss_fft.c \
+	suites/test_bliss_bitpacker.c \
+	suites/test_bliss_huffman.c \
+	suites/test_bliss_keys.c \
+	suites/test_bliss_sampler.c \
+	suites/test_bliss_signature.c \
+	suites/test_bliss_sign.c \
+	bliss_tests.h bliss_tests.c
+
+bliss_tests_CFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	-I$(top_srcdir)/src/libstrongswan/plugins/bliss \
+	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+	-DPLUGINS=\""${s_plugins}\"" \
+	@COVERAGE_CFLAGS@
+
+bliss_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+bliss_tests_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	../libbliss.la
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in
new file mode 100644
index 000000000..5a1ce3d50
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in
@@ -0,0 +1,985 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = bliss_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libstrongswan/plugins/bliss/tests
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = bliss_tests$(EXEEXT)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_bliss_tests_OBJECTS = suites/bliss_tests-test_bliss_fft.$(OBJEXT) \
+	suites/bliss_tests-test_bliss_bitpacker.$(OBJEXT) \
+	suites/bliss_tests-test_bliss_huffman.$(OBJEXT) \
+	suites/bliss_tests-test_bliss_keys.$(OBJEXT) \
+	suites/bliss_tests-test_bliss_sampler.$(OBJEXT) \
+	suites/bliss_tests-test_bliss_signature.$(OBJEXT) \
+	suites/bliss_tests-test_bliss_sign.$(OBJEXT) \
+	bliss_tests-bliss_tests.$(OBJEXT)
+bliss_tests_OBJECTS = $(am_bliss_tests_OBJECTS)
+bliss_tests_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	../libbliss.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+bliss_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(bliss_tests_CFLAGS) \
+	$(CFLAGS) $(bliss_tests_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(bliss_tests_SOURCES)
+DIST_SOURCES = $(bliss_tests_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+bliss_tests_SOURCES = \
+	suites/test_bliss_fft.c \
+	suites/test_bliss_bitpacker.c \
+	suites/test_bliss_huffman.c \
+	suites/test_bliss_keys.c \
+	suites/test_bliss_sampler.c \
+	suites/test_bliss_signature.c \
+	suites/test_bliss_sign.c \
+	bliss_tests.h bliss_tests.c
+
+bliss_tests_CFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	-I$(top_srcdir)/src/libstrongswan/plugins/bliss \
+	-DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+	-DPLUGINS=\""${s_plugins}\"" \
+	@COVERAGE_CFLAGS@
+
+bliss_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+bliss_tests_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la \
+	../libbliss.la
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/tests/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+suites/$(am__dirstamp):
+	@$(MKDIR_P) suites
+	@: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) suites/$(DEPDIR)
+	@: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_fft.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_bitpacker.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_huffman.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_keys.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_sampler.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_signature.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_sign.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+
+bliss_tests$(EXEEXT): $(bliss_tests_OBJECTS) $(bliss_tests_DEPENDENCIES) $(EXTRA_bliss_tests_DEPENDENCIES) 
+	@rm -f bliss_tests$(EXEEXT)
+	$(AM_V_CCLD)$(bliss_tests_LINK) $(bliss_tests_OBJECTS) $(bliss_tests_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+	-rm -f suites/*.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_tests-bliss_tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+suites/bliss_tests-test_bliss_fft.o: suites/test_bliss_fft.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_fft.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo -c -o suites/bliss_tests-test_bliss_fft.o `test -f 'suites/test_bliss_fft.c' || echo '$(srcdir)/'`suites/test_bliss_fft.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_fft.c' object='suites/bliss_tests-test_bliss_fft.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_fft.o `test -f 'suites/test_bliss_fft.c' || echo '$(srcdir)/'`suites/test_bliss_fft.c
+
+suites/bliss_tests-test_bliss_fft.obj: suites/test_bliss_fft.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_fft.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo -c -o suites/bliss_tests-test_bliss_fft.obj `if test -f 'suites/test_bliss_fft.c'; then $(CYGPATH_W) 'suites/test_bliss_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_fft.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_fft.c' object='suites/bliss_tests-test_bliss_fft.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_fft.obj `if test -f 'suites/test_bliss_fft.c'; then $(CYGPATH_W) 'suites/test_bliss_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_fft.c'; fi`
+
+suites/bliss_tests-test_bliss_bitpacker.o: suites/test_bliss_bitpacker.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_bitpacker.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo -c -o suites/bliss_tests-test_bliss_bitpacker.o `test -f 'suites/test_bliss_bitpacker.c' || echo '$(srcdir)/'`suites/test_bliss_bitpacker.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_bitpacker.c' object='suites/bliss_tests-test_bliss_bitpacker.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_bitpacker.o `test -f 'suites/test_bliss_bitpacker.c' || echo '$(srcdir)/'`suites/test_bliss_bitpacker.c
+
+suites/bliss_tests-test_bliss_bitpacker.obj: suites/test_bliss_bitpacker.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_bitpacker.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo -c -o suites/bliss_tests-test_bliss_bitpacker.obj `if test -f 'suites/test_bliss_bitpacker.c'; then $(CYGPATH_W) 'suites/test_bliss_bitpacker.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_bitpacker.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_bitpacker.c' object='suites/bliss_tests-test_bliss_bitpacker.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_bitpacker.obj `if test -f 'suites/test_bliss_bitpacker.c'; then $(CYGPATH_W) 'suites/test_bliss_bitpacker.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_bitpacker.c'; fi`
+
+suites/bliss_tests-test_bliss_huffman.o: suites/test_bliss_huffman.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_huffman.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo -c -o suites/bliss_tests-test_bliss_huffman.o `test -f 'suites/test_bliss_huffman.c' || echo '$(srcdir)/'`suites/test_bliss_huffman.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_huffman.c' object='suites/bliss_tests-test_bliss_huffman.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_huffman.o `test -f 'suites/test_bliss_huffman.c' || echo '$(srcdir)/'`suites/test_bliss_huffman.c
+
+suites/bliss_tests-test_bliss_huffman.obj: suites/test_bliss_huffman.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_huffman.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo -c -o suites/bliss_tests-test_bliss_huffman.obj `if test -f 'suites/test_bliss_huffman.c'; then $(CYGPATH_W) 'suites/test_bliss_huffman.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_huffman.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_huffman.c' object='suites/bliss_tests-test_bliss_huffman.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_huffman.obj `if test -f 'suites/test_bliss_huffman.c'; then $(CYGPATH_W) 'suites/test_bliss_huffman.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_huffman.c'; fi`
+
+suites/bliss_tests-test_bliss_keys.o: suites/test_bliss_keys.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_keys.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo -c -o suites/bliss_tests-test_bliss_keys.o `test -f 'suites/test_bliss_keys.c' || echo '$(srcdir)/'`suites/test_bliss_keys.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_keys.c' object='suites/bliss_tests-test_bliss_keys.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_keys.o `test -f 'suites/test_bliss_keys.c' || echo '$(srcdir)/'`suites/test_bliss_keys.c
+
+suites/bliss_tests-test_bliss_keys.obj: suites/test_bliss_keys.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_keys.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo -c -o suites/bliss_tests-test_bliss_keys.obj `if test -f 'suites/test_bliss_keys.c'; then $(CYGPATH_W) 'suites/test_bliss_keys.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_keys.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_keys.c' object='suites/bliss_tests-test_bliss_keys.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_keys.obj `if test -f 'suites/test_bliss_keys.c'; then $(CYGPATH_W) 'suites/test_bliss_keys.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_keys.c'; fi`
+
+suites/bliss_tests-test_bliss_sampler.o: suites/test_bliss_sampler.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sampler.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo -c -o suites/bliss_tests-test_bliss_sampler.o `test -f 'suites/test_bliss_sampler.c' || echo '$(srcdir)/'`suites/test_bliss_sampler.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_sampler.c' object='suites/bliss_tests-test_bliss_sampler.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sampler.o `test -f 'suites/test_bliss_sampler.c' || echo '$(srcdir)/'`suites/test_bliss_sampler.c
+
+suites/bliss_tests-test_bliss_sampler.obj: suites/test_bliss_sampler.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sampler.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo -c -o suites/bliss_tests-test_bliss_sampler.obj `if test -f 'suites/test_bliss_sampler.c'; then $(CYGPATH_W) 'suites/test_bliss_sampler.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sampler.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_sampler.c' object='suites/bliss_tests-test_bliss_sampler.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sampler.obj `if test -f 'suites/test_bliss_sampler.c'; then $(CYGPATH_W) 'suites/test_bliss_sampler.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sampler.c'; fi`
+
+suites/bliss_tests-test_bliss_signature.o: suites/test_bliss_signature.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_signature.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo -c -o suites/bliss_tests-test_bliss_signature.o `test -f 'suites/test_bliss_signature.c' || echo '$(srcdir)/'`suites/test_bliss_signature.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_signature.c' object='suites/bliss_tests-test_bliss_signature.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_signature.o `test -f 'suites/test_bliss_signature.c' || echo '$(srcdir)/'`suites/test_bliss_signature.c
+
+suites/bliss_tests-test_bliss_signature.obj: suites/test_bliss_signature.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_signature.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo -c -o suites/bliss_tests-test_bliss_signature.obj `if test -f 'suites/test_bliss_signature.c'; then $(CYGPATH_W) 'suites/test_bliss_signature.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_signature.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_signature.c' object='suites/bliss_tests-test_bliss_signature.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_signature.obj `if test -f 'suites/test_bliss_signature.c'; then $(CYGPATH_W) 'suites/test_bliss_signature.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_signature.c'; fi`
+
+suites/bliss_tests-test_bliss_sign.o: suites/test_bliss_sign.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sign.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo -c -o suites/bliss_tests-test_bliss_sign.o `test -f 'suites/test_bliss_sign.c' || echo '$(srcdir)/'`suites/test_bliss_sign.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_sign.c' object='suites/bliss_tests-test_bliss_sign.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sign.o `test -f 'suites/test_bliss_sign.c' || echo '$(srcdir)/'`suites/test_bliss_sign.c
+
+suites/bliss_tests-test_bliss_sign.obj: suites/test_bliss_sign.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sign.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo -c -o suites/bliss_tests-test_bliss_sign.obj `if test -f 'suites/test_bliss_sign.c'; then $(CYGPATH_W) 'suites/test_bliss_sign.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sign.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_bliss_sign.c' object='suites/bliss_tests-test_bliss_sign.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sign.obj `if test -f 'suites/test_bliss_sign.c'; then $(CYGPATH_W) 'suites/test_bliss_sign.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sign.c'; fi`
+
+bliss_tests-bliss_tests.o: bliss_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT bliss_tests-bliss_tests.o -MD -MP -MF $(DEPDIR)/bliss_tests-bliss_tests.Tpo -c -o bliss_tests-bliss_tests.o `test -f 'bliss_tests.c' || echo '$(srcdir)/'`bliss_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/bliss_tests-bliss_tests.Tpo $(DEPDIR)/bliss_tests-bliss_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bliss_tests.c' object='bliss_tests-bliss_tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o bliss_tests-bliss_tests.o `test -f 'bliss_tests.c' || echo '$(srcdir)/'`bliss_tests.c
+
+bliss_tests-bliss_tests.obj: bliss_tests.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT bliss_tests-bliss_tests.obj -MD -MP -MF $(DEPDIR)/bliss_tests-bliss_tests.Tpo -c -o bliss_tests-bliss_tests.obj `if test -f 'bliss_tests.c'; then $(CYGPATH_W) 'bliss_tests.c'; else $(CYGPATH_W) '$(srcdir)/bliss_tests.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/bliss_tests-bliss_tests.Tpo $(DEPDIR)/bliss_tests-bliss_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bliss_tests.c' object='bliss_tests-bliss_tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o bliss_tests-bliss_tests.obj `if test -f 'bliss_tests.c'; then $(CYGPATH_W) 'bliss_tests.c'; else $(CYGPATH_W) '$(srcdir)/bliss_tests.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f suites/$(DEPDIR)/$(am__dirstamp)
+	-rm -f suites/$(am__dirstamp)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+	clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
+	ctags ctags-am distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.c b/src/libstrongswan/plugins/bliss/tests/bliss_tests.c
new file mode 100644
index 000000000..de21e77b7
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/bliss_tests.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+#include <library.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#include "bliss_tests.h"
+#undef TEST_SUITE
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#include "bliss_tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (init)
+	{
+		char *plugins, *plugindir;
+
+		plugins = lib->settings->get_str(lib->settings,
+										"tests.load", PLUGINS);
+		plugindir = lib->settings->get_str(lib->settings,
+										"tests.plugindir", PLUGINDIR);
+		plugin_loader_add_plugindirs(plugindir, plugins);
+		if (!lib->plugins->load(lib->plugins, plugins))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+		lib->plugins->unload(lib->plugins);
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("bliss", tests, test_runner_init);
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h b/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
new file mode 100644
index 000000000..f0959cc08
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2014-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(bliss_fft_suite_create)
+TEST_SUITE(bliss_bitpacker_suite_create)
+TEST_SUITE(bliss_huffman_suite_create)
+TEST_SUITE(bliss_keys_suite_create)
+TEST_SUITE(bliss_sampler_suite_create)
+TEST_SUITE(bliss_signature_suite_create)
+TEST_SUITE(bliss_sign_suite_create)
+
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c
new file mode 100644
index 000000000..6a728e280
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_bitpacker.h>
+
+static uint32_t bits[] = { 0, 1, 2, 3, 4, 7, 1, 14, 2, 29, 3, 28, 67, 0x2fe3a9c1};
+
+static chunk_t packed_bits = chunk_from_chars(0x6e, 0x71, 0xe1, 0x74,
+											  0x37, 0x21, 0x97, 0xf1,
+											  0xd4, 0xe0, 0x80);
+
+START_TEST(test_bliss_sign_bitpacker_write)
+{
+	chunk_t buf;
+	bliss_bitpacker_t *packer;
+	int i;
+
+	packer = bliss_bitpacker_create(81);
+
+	for (i = 0; i < 13; i++)
+	{
+		ck_assert(packer->write_bits(packer, bits[i], 1 + i/2));
+	}
+	ck_assert(packer->write_bits(packer, bits[13], 32));
+
+	buf = packer->extract_buf(packer);
+	ck_assert_int_eq(packer->get_bits(packer), 81);
+	ck_assert_chunk_eq(buf, packed_bits);
+
+	packer->destroy(packer);
+	free(buf.ptr);
+}
+END_TEST
+
+START_TEST(test_bliss_sign_bitpacker_read)
+{
+	uint32_t value;
+	bliss_bitpacker_t *packer;
+	int i;
+
+	packer = bliss_bitpacker_create_from_data(packed_bits);
+
+	ck_assert(!packer->read_bits(packer, &value, 33));
+
+	for (i = 0; i < 13; i++)
+	{
+		ck_assert(packer->read_bits(packer, &value, 1 + i/2));
+		ck_assert_int_eq(value, bits[i]);
+	}
+	ck_assert(packer->read_bits(packer, &value, 32));
+	ck_assert_int_eq(value, bits[13]);
+
+	packer->destroy(packer);
+}
+END_TEST
+
+START_TEST(test_bliss_sign_bitpacker_fail)
+{
+	bliss_bitpacker_t *packer;
+	uint32_t value;
+
+	packer = bliss_bitpacker_create(32);
+	ck_assert( packer->write_bits(packer, 0xff, 0));
+	ck_assert(!packer->write_bits(packer, 0, 33));
+	ck_assert( packer->write_bits(packer, 0x7f2a3b01, 31));
+	ck_assert(!packer->write_bits(packer, 3,  2));
+	packer->destroy(packer);
+
+	packer = bliss_bitpacker_create_from_data(
+							chunk_from_chars(0x7f, 0x2a, 0x3b, 0x01));
+	ck_assert(!packer->read_bits(packer, &value, 33));
+	ck_assert( packer->read_bits(packer, &value, 31));
+	ck_assert(!packer->read_bits(packer, &value,  2));
+	packer->destroy(packer);
+}
+END_TEST
+
+Suite *bliss_bitpacker_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bliss_bitpacker");
+
+	tc = tcase_create("bitpacker_write");
+	tcase_add_test(tc, test_bliss_sign_bitpacker_write);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("bitpacker_read");
+	tcase_add_test(tc, test_bliss_sign_bitpacker_read);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("bitpacker_fail");
+	tcase_add_test(tc, test_bliss_sign_bitpacker_fail);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c
new file mode 100644
index 000000000..009aaf802
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_fft.h>
+
+static bliss_fft_params_t *fft_params[] = {
+	&bliss_fft_17_8,
+	&bliss_fft_12289_512
+};
+
+START_TEST(test_bliss_fft_impulse)
+{
+	bliss_fft_t *fft;
+	uint16_t n = fft_params[_i]->n;
+	uint32_t x[n], X[n];
+	int i;
+
+	for (i = 0; i < n; i++)
+	{
+		x[i] = 0;
+	}
+	x[0] = 1;
+ 
+	fft = bliss_fft_create(fft_params[_i]);
+	fft->transform(fft, x, X, FALSE);
+
+	for (i = 0; i < n; i++)
+	{
+		ck_assert(X[i] == 1);
+	}
+	fft->transform(fft, X, x, TRUE);
+
+	for (i = 0; i < n; i++)
+	{
+		ck_assert(x[i] == (i == 0));
+	}
+	fft->destroy(fft);
+}
+END_TEST
+
+START_TEST(test_bliss_fft_wrap)
+{
+	bliss_fft_t *fft;
+	uint16_t n = fft_params[_i]->n;
+	uint16_t q = fft_params[_i]->q;
+	uint32_t x[n],y[n], X[n], Y[n];
+	int i, j;
+
+	for (i = 0; i < n; i++)
+	{
+		x[i] = i;
+		y[i] = 0;
+	}
+	fft = bliss_fft_create(fft_params[_i]);
+	ck_assert(fft->get_size(fft) == n);
+	ck_assert(fft->get_modulus(fft) == q); 
+	fft->transform(fft, x, X, FALSE);
+
+	for (j = 0; j < n; j++)
+	{
+		y[j] = 1;
+		fft->transform(fft, y, Y, FALSE);
+
+		for (i = 0; i < n; i++)
+		{
+			Y[i] = (X[i] * Y[i]) % q;
+		}
+		fft->transform(fft, Y, Y, TRUE);
+
+		for (i = 0; i < n; i++)
+		{
+			ck_assert(Y[i] == ( i < j ? q - n - i + j : i - j));
+		}
+		y[j] = 0;
+	}
+	fft->destroy(fft);  
+}
+END_TEST
+
+Suite *bliss_fft_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bliss_fft");
+
+	tc = tcase_create("impulse");
+	tcase_add_loop_test(tc, test_bliss_fft_impulse, 0, countof(fft_params));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("negative_wrap");
+	tcase_add_loop_test(tc, test_bliss_fft_wrap, 0, countof(fft_params));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c
new file mode 100644
index 000000000..5447d0741
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_huffman_coder.h>
+
+static chunk_t data = chunk_from_chars(0x5f, 0x71, 0x9e, 0x4c);
+
+START_TEST(test_bliss_huffman_encode)
+{
+	bliss_bitpacker_t *packer;
+	bliss_huffman_code_t *code;
+	bliss_huffman_coder_t *coder;
+	chunk_t encoding;
+
+	packer = bliss_bitpacker_create(32);
+	ck_assert(packer);
+
+	code = bliss_huffman_code_get_by_id(BLISS_B_I);
+	ck_assert(code);
+
+	coder = bliss_huffman_coder_create(code, packer);
+	ck_assert(coder);
+
+	ck_assert( coder->encode(coder, 0,  0));	/* 0 */
+	ck_assert( coder->encode(coder, 1,  0));	/* 10 */
+	ck_assert( coder->encode(coder, 2,  0));	/* 111 */
+	ck_assert( coder->encode(coder, 0,  1));	/* 1101 */
+	ck_assert( coder->encode(coder, 0, -1));	/* 11000 */
+	ck_assert( coder->encode(coder, 1,  1));	/* 110011 */
+	ck_assert( coder->encode(coder, 1, -1));	/* 1100100 */
+	ck_assert(!coder->encode(coder, 3,  0));	/* 11001010 */
+	ck_assert(!coder->encode(coder, 8,  0));	/* - */
+
+	encoding = packer->extract_buf(packer);
+	ck_assert(chunk_equals(encoding, data));
+
+	chunk_free(&encoding);
+	coder->destroy(coder);
+	packer->destroy(packer);
+}
+END_TEST
+
+START_TEST(test_bliss_huffman_decode)
+{
+	bliss_bitpacker_t *packer;
+	bliss_huffman_code_t *code;
+	bliss_huffman_coder_t *coder;
+	int32_t z1;
+	int16_t z2;
+
+	packer = bliss_bitpacker_create_from_data(data);
+	ck_assert(packer);
+
+	code = bliss_huffman_code_get_by_id(BLISS_II);
+	ck_assert(!code);
+	code = bliss_huffman_code_get_by_id(BLISS_B_II);
+	ck_assert(!code);
+	code = bliss_huffman_code_get_by_id(BLISS_B_I);
+	ck_assert(code);
+
+	coder = bliss_huffman_coder_create(code, packer);
+	ck_assert(coder);
+
+	ck_assert(coder->decode(coder, &z1, &z2));	/* 0 */
+	ck_assert(z1 == 0 && z2 == 0);
+
+	ck_assert(coder->decode(coder, &z1, &z2));	/* 10 */
+	ck_assert(z1 == 1 && z2 == 0);
+
+	ck_assert(coder->decode(coder, &z1, &z2));	/* 111 */
+	ck_assert(z1 == 2 && z2 == 0);
+
+	ck_assert(coder->decode(coder, &z1, &z2));	/* 1101 */
+	ck_assert(z1 == 0 && z2 == 1);
+
+	ck_assert(coder->decode(coder, &z1, &z2));	/* 11000 */
+	ck_assert(z1 == 0 && z2 == -1);
+
+	ck_assert(coder->decode(coder, &z1, &z2));	/* 110011 */
+	ck_assert(z1 == 1 && z2 == 1);
+
+	ck_assert(coder->decode(coder, &z1, &z2));	/* 1100100 */
+	ck_assert(z1 == 1 && z2 == -1);
+
+	ck_assert(!coder->decode(coder, &z1, &z2));	/* 11001010 */
+
+	coder->destroy(coder);
+	packer->destroy(packer);
+}
+END_TEST
+
+Suite *bliss_huffman_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bliss_huffman");
+
+	tc = tcase_create("huffman_encode");
+	tcase_add_test(tc, test_bliss_huffman_encode);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("huffman_decode");
+	tcase_add_test(tc, test_bliss_huffman_decode);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c
new file mode 100644
index 000000000..f48bc1d79
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_private_key.h>
+#include <bliss_public_key.h>
+
+static chunk_t privkey_chunk[] = {
+	{NULL, 0},
+	chunk_from_chars(0x30, 0x00),
+	chunk_from_chars(0x30, 0x01),
+	chunk_from_chars(0x30, 0x03, 0x06, 0x01, 0x01),
+	chunk_from_chars(0x30, 0x0d, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
+					 0xa0, 0x2a, 0x05, 0x02, 0x06),
+	chunk_from_chars(0x30, 0x0f, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
+					 0xa0, 0x2a, 0x05, 0x02, 0x05, 0x03, 0x00),
+	chunk_from_chars(0x30, 0x82, 0x04, 0x9a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+					 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x05, 0x03, 0x82, 0x03,
+					 0x81, 0x00, 0x81, 0xe5, 0xd2, 0x71, 0xeb, 0x98, 0xe5, 0x24,
+					 0x34, 0xe4, 0x8a, 0x27, 0x23, 0x7d, 0x7d, 0x2c, 0xa3, 0xa7,
+					 0x3f, 0x87, 0xad, 0xae, 0xfa, 0xe4, 0x66, 0x1c, 0xef, 0x69,
+					 0x63, 0x5e, 0x91, 0xda, 0x41, 0x45, 0xd5, 0x8a, 0xb5, 0x26,
+					 0x33, 0x32, 0xe0, 0xa2, 0x9b, 0x52, 0x5e, 0x49, 0x5d, 0x0d,
+					 0x62, 0x72, 0x68, 0xa5, 0x94, 0x24, 0x03, 0x98, 0x48, 0x60,
+					 0x4a, 0x98, 0x97, 0x0d, 0x60, 0x7d, 0x00, 0x4f, 0xb9, 0xaf,
+					 0xcb, 0x6b, 0x41, 0x3d, 0x5b, 0xe4, 0x3e, 0x9a, 0xee, 0x06,
+		/*  100 */	 0xa1, 0xd0, 0x93, 0x53, 0x88, 0x58, 0x83, 0xb2, 0x44, 0xa1,
+					 0x16, 0x58, 0x3d, 0x32, 0xa1, 0x29, 0x85, 0x1a, 0x24, 0xc8,
+					 0xb8, 0x8c, 0x1f, 0x43, 0xbb, 0x4b, 0xdd, 0x8e, 0x72, 0xd3,
+					 0xf4, 0xfc, 0x02, 0x69, 0x47, 0xa5, 0x9d, 0xd0, 0xfc, 0xa6,
+					 0x94, 0x2e, 0x02, 0x6d, 0x85, 0x2c, 0x6d, 0xe3, 0x91, 0xd5,
+					 0xf1, 0x54, 0xbd, 0x1e, 0x63, 0x6b, 0xee, 0x28, 0xf9, 0xc6,
+					 0xec, 0x05, 0x99, 0xd5, 0xdd, 0xe5, 0x72, 0x9b, 0xbc, 0xa7,
+					 0x5a, 0x4a, 0x46, 0x3e, 0xec, 0xd7, 0x0b, 0xc5, 0x23, 0x00,
+					 0xdc, 0x08, 0x09, 0x57, 0x44, 0x2e, 0x43, 0x0f, 0xea, 0xca,
+					 0x2a, 0x31, 0xbe, 0xf3, 0x04, 0x8f, 0x8b, 0xa6, 0x3c, 0x35,
+		/*  200 */	 0x80, 0x2b, 0xe2, 0x18, 0x22, 0xfd, 0xe9, 0x39, 0x57, 0xed,
+					 0x77, 0x1d, 0x32, 0x02, 0x48, 0x2c, 0x85, 0x53, 0x9f, 0x4a,
+					 0xd8, 0x86, 0x4d, 0xd2, 0x26, 0x19, 0x12, 0x19, 0xa2, 0xb5,
+					 0xdf, 0x02, 0x50, 0xe4, 0x32, 0x9a, 0x27, 0xd0, 0x9e, 0x49,
+					 0x4a, 0x13, 0x9a, 0xfc, 0x07, 0x98, 0x60, 0x65, 0xf4, 0xc1,
+					 0x6c, 0x9a, 0x15, 0x28, 0x74, 0x5c, 0xd0, 0xa8, 0xe6, 0x2e,
+					 0x1f, 0xe9, 0xe6, 0x2b, 0xc8, 0x46, 0xe9, 0x26, 0xb0, 0xf0,
+					 0x8a, 0xe6, 0x8c, 0x9b, 0xbf, 0x64, 0xa0, 0x59, 0x33, 0x4f,
+					 0xc0, 0x0c, 0x16, 0x72, 0x89, 0x79, 0x2a, 0x3a, 0x5e, 0x3d,
+					 0x40, 0xbb, 0x73, 0xa9, 0xc0, 0x52, 0x70, 0x57, 0x06, 0xc1,
+		/*  300 */	 0xe7, 0x70, 0xb8, 0x6d, 0x1b, 0x50, 0x61, 0x85, 0xee, 0x3e,
+					 0xe5, 0x5a, 0x8a, 0x75, 0x9f, 0x1e, 0xb7, 0xea, 0x54, 0x5a,
+					 0x8f, 0x52, 0xc2, 0xae, 0x2c, 0x7a, 0x58, 0xe6, 0xcb, 0xa6,
+					 0x9b, 0x68, 0x84, 0x79, 0xf2, 0x82, 0x05, 0x57, 0xaa, 0xd5,
+					 0x51, 0x82, 0xec, 0x84, 0x63, 0xce, 0xf4, 0xa7, 0xdf, 0x4e,
+					 0xac, 0x7d, 0xdd, 0xc3, 0x02, 0x68, 0xe0, 0x35, 0xa1, 0x92,
+					 0x29, 0x02, 0x2c, 0xa0, 0xe4, 0x29, 0x66, 0xd3, 0xe8, 0xd9,
+					 0x52, 0x0f, 0x3b, 0xec, 0x53, 0x63, 0x57, 0xc3, 0xd2, 0x59,
+					 0x38, 0xe7, 0x74, 0xf4, 0x1d, 0x03, 0x88, 0x3c, 0xe9, 0x97,
+					 0x37, 0xd7, 0x12, 0x66, 0x2a, 0xb5, 0xf8, 0xcd, 0x10, 0x87,
+		/*  400 */	 0x5d, 0x6a, 0x69, 0xbb, 0x9b, 0xc5, 0x55, 0x3c, 0x09, 0x46,
+					 0x04, 0x57, 0xc0, 0x2f, 0x77, 0x89, 0xe2, 0x88, 0x15, 0x6b,
+					 0x71, 0x56, 0xe1, 0xa2, 0x30, 0x71, 0x5f, 0x1d, 0x27, 0x12,
+					 0xbf, 0xc3, 0x55, 0xde, 0xe5, 0x9c, 0x4e, 0xb8, 0xc6, 0xec,
+					 0x96, 0x3a, 0x5d, 0x6d, 0xe9, 0xd3, 0xf8, 0x28, 0xda, 0x3f,
+					 0x75, 0x24, 0xd0, 0x34, 0x50, 0xa6, 0x28, 0x65, 0x6a, 0xe9,
+					 0xa6, 0x89, 0xe5, 0x5d, 0x45, 0xaf, 0x63, 0x34, 0xaf, 0x31,
+					 0x29, 0x82, 0xe6, 0x03, 0x80, 0x5c, 0x34, 0x28, 0xd1, 0x9f,
+					 0xca, 0xd3, 0x96, 0xcb, 0x31, 0xde, 0xdb, 0xf0, 0x07, 0x2b,
+					 0xc5, 0xbc, 0x29, 0xd1, 0x11, 0xf4, 0x23, 0x3b, 0x14, 0xb5,
+		/*  500 */	 0xa6, 0xf1, 0x02, 0x9e, 0x66, 0xbe, 0xdc, 0xc4, 0xca, 0xf7,
+					 0xc0, 0x81, 0x92, 0x7c, 0xea, 0xe3, 0x42, 0x54, 0x8a, 0x6f,
+					 0x0a, 0x2a, 0xa7, 0x2a, 0x92, 0xab, 0x09, 0xb1, 0x61, 0x91,
+					 0xaa, 0x90, 0x54, 0xa3, 0x76, 0x64, 0xe2, 0xfd, 0x81, 0x9a,
+					 0x4c, 0x35, 0x11, 0x28, 0xf3, 0x14, 0x97, 0x1b, 0x61, 0xa4,
+					 0x67, 0x43, 0xae, 0x90, 0x6b, 0xe4, 0x29, 0x34, 0xec, 0x08,
+					 0xbc, 0x6a, 0x82, 0x45, 0xc7, 0x7d, 0xdc, 0xd0, 0x03, 0x98,
+					 0x29, 0x63, 0x05, 0x94, 0xb2, 0xb9, 0x04, 0xce, 0x34, 0x9a,
+					 0x64, 0xae, 0x9a, 0xa9, 0x11, 0xa5, 0x13, 0x07, 0xcc, 0x92,
+					 0xe9, 0xe5, 0x98, 0x13, 0x13, 0x8f, 0x8b, 0xb2, 0x77, 0x75,
+		/*  600 */	 0x2a, 0x6f, 0xb1, 0xa6, 0x98, 0xbf, 0x50, 0xaf, 0xa7, 0x15,
+					 0x2a, 0xe6, 0xdf, 0x41, 0xb6, 0x5e, 0x72, 0xb2, 0x74, 0xf2,
+					 0x38, 0x88, 0x41, 0x56, 0x53, 0xea, 0x83, 0x23, 0x8a, 0x6d,
+					 0x6c, 0x64, 0x6c, 0xa6, 0x04, 0x79, 0x51, 0x92, 0x89, 0xbe,
+					 0x2a, 0x54, 0xd8, 0x5a, 0x8d, 0x5b, 0x9c, 0xfc, 0x62, 0x05,
+					 0x0f, 0xbd, 0x85, 0x12, 0x57, 0x45, 0x96, 0x2e, 0x8f, 0x76,
+					 0xd4, 0x33, 0xfb, 0x4a, 0xc2, 0x9f, 0x57, 0x96, 0xb3, 0xa2,
+					 0xc6, 0xa6, 0x95, 0x3c, 0x9e, 0x7e, 0x15, 0x12, 0xd7, 0xe4,
+					 0x65, 0x05, 0x5d, 0x72, 0xc2, 0x28, 0x10, 0xa9, 0x68, 0xa9,
+					 0x01, 0xfe, 0x9e, 0x36, 0x07, 0x80, 0x41, 0xc8, 0xa3, 0x5f,
+		/*  700 */	 0x18, 0x3b, 0x38, 0x09, 0x95, 0xe2, 0x87, 0xad, 0x03, 0xfd,
+					 0xdd, 0xa6, 0xe9, 0x8e, 0xa8, 0x3a, 0xc9, 0x45, 0x7b, 0xdc,
+					 0xc2, 0x6a, 0x30, 0x78, 0xaa, 0xba, 0x32, 0xe9, 0x8a, 0x65,
+					 0x48, 0x13, 0x5b, 0x29, 0x18, 0x2e, 0x5c, 0x68, 0x8d, 0x71,
+					 0x01, 0x09, 0xab, 0x7d, 0x1a, 0xe9, 0x09, 0x74, 0x1b, 0xe1,
+					 0x90, 0x00, 0xb9, 0xda, 0xa3, 0x03, 0xb7, 0x6c, 0xdd, 0x40,
+					 0xb6, 0xe3, 0xde, 0xa6, 0x7b, 0xe9, 0x3d, 0x41, 0x4d, 0xc7,
+					 0xad, 0xa5, 0xf9, 0x8b, 0x88, 0xd4, 0x1a, 0x75, 0xb5, 0xb6,
+					 0x9f, 0x51, 0x9b, 0x8b, 0xd7, 0xa4, 0x02, 0xb0, 0x62, 0x45,
+					 0xdd, 0x6c, 0x11, 0x35, 0x03, 0x77, 0x1c, 0xdb, 0xc5, 0xac,
+		/*  800 */	 0x60, 0x37, 0x20, 0x15, 0xaf, 0xbd, 0xae, 0x76, 0x51, 0xd2,
+					 0xfb, 0x63, 0x23, 0x19, 0x81, 0xa6, 0x59, 0x7b, 0x68, 0x00,
+					 0x3d, 0x68, 0x89, 0x6b, 0x5a, 0x29, 0xbd, 0x4f, 0xc1, 0x50,
+					 0xe4, 0x98, 0x85, 0xe6, 0x1a, 0xdd, 0xc8, 0xe4, 0xa1, 0x2b,
+					 0x99, 0x42, 0x81, 0x4d, 0x07, 0xf4, 0x24, 0x93, 0x88, 0xfe,
+					 0x40, 0x90, 0x5a, 0x56, 0x0b, 0x7f, 0x8d, 0x14, 0x82, 0x6d,
+					 0xaf, 0xf6, 0x0a, 0x3d, 0xe6, 0x64, 0xb5, 0x48, 0x01, 0x37,
+					 0xfe, 0xf3, 0xba, 0x67, 0xcc, 0xd2, 0xba, 0x32, 0x76, 0xe8,
+					 0xa7, 0x41, 0x1f, 0x2a, 0xfc, 0xa9, 0x72, 0x66, 0xc7, 0xd5,
+					 0x76, 0x02, 0x6b, 0x77, 0xba, 0x6c, 0xd4, 0x84, 0x68, 0x0e,
+		/*  900 */	 0x62, 0xc8, 0x43, 0xb0, 0x81, 0xd5, 0x8f, 0xdb, 0x42, 0xc9,
+					 0xf4, 0xaf, 0x71, 0xbd, 0xb9, 0x6c, 0xd6, 0xdc, 0x03, 0x81,
+					 0x81, 0x00, 0xc5, 0x10, 0x40, 0x33, 0x0f, 0xc0, 0x14, 0x01,
+					 0x00, 0x03, 0x0c, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x0f, 0x10,
+					 0x03, 0x10, 0x00, 0x00, 0x01, 0xc0, 0x43, 0x40, 0x03, 0x5c,
+					 0x00, 0x07, 0xc0, 0x51, 0x34, 0x01, 0x30, 0x0c, 0x00, 0x00,
+					 0x04, 0xc0, 0x3d, 0x40, 0x03, 0x07, 0x40, 0xd3, 0x50, 0x0c,
+					 0x04, 0x03, 0x00, 0x11, 0x41, 0x30, 0x00, 0xc1, 0xc0, 0xc3,
+					 0x03, 0x5f, 0x04, 0x30, 0x01, 0x40, 0x40, 0x00, 0x40, 0x40,
+					 0x10, 0x40, 0x05, 0x05, 0x00, 0x53, 0x00, 0x04, 0x50, 0x00,
+		/* 1000 */	 0x00, 0x00, 0x0c, 0x00, 0x51, 0x00, 0x00, 0x00, 0x04, 0xc7,
+					 0x01, 0x50, 0xc0, 0x11, 0x00, 0x04, 0x03, 0xc0, 0x04, 0x00,
+					 0x70, 0x4c, 0x31, 0x03, 0xc0, 0x40, 0xc4, 0x40, 0x40, 0xc0,
+					 0x0c, 0x0c, 0xf1, 0x40, 0xc1, 0x31, 0x70, 0x17, 0xc0, 0x30,
+					 0xc1, 0x04, 0x0c, 0x04, 0x00, 0xc4, 0x01, 0x00, 0x34, 0x00,
+					 0x03, 0x81, 0x81, 0x00, 0xcc, 0x00, 0x50, 0x30, 0xc4, 0x13,
+					 0x0f, 0xf0, 0x43, 0x01, 0x33, 0x40, 0x30, 0x01, 0x40, 0x10,
+					 0x57, 0x04, 0x03, 0x04, 0x10, 0x00, 0xf0, 0x03, 0x04, 0x01,
+					 0x00, 0x10, 0x34, 0x03, 0xf0, 0x1c, 0x01, 0x40, 0x30, 0xf4,
+					 0x00, 0x40, 0x34, 0xc3, 0x00, 0x00, 0x01, 0x00, 0x01, 0x10,
+		/* 1100 */	 0x3f, 0x03, 0x40, 0x00, 0x10, 0x10, 0x00, 0x40, 0x03, 0x00,
+					 0x03, 0x04, 0x40, 0x03, 0x00, 0x13, 0x03, 0x00, 0xc0, 0x01,
+					 0x34, 0x01, 0x00, 0x00, 0x10, 0xf4, 0x00, 0xf0, 0x30, 0x00,
+					 0x00, 0xc3, 0x1c, 0x41, 0x00, 0x40, 0x30, 0x04, 0x10, 0xc4,
+					 0x11, 0x03, 0x00, 0x10, 0x04, 0x4f, 0x17, 0xc0, 0x00, 0x30,
+					 0xcd, 0x3c, 0x40, 0xc4, 0x00, 0xf0, 0x00, 0x00, 0x04, 0x30,
+					 0x0f, 0x31, 0x34, 0xf0, 0x00, 0x07, 0x0c, 0x34, 0x00, 0x50,
+					 0x05, 0x03, 0x10, 0x70, 0x00, 0x33, 0x0c, 0x00, 0xc4, 0x54,
+					 0x07, 0x00)
+};
+
+START_TEST(test_bliss_keys_priv)
+{
+	private_key_t *privkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+								 BUILD_BLOB, privkey_chunk[_i], BUILD_END);
+	if (_i == countof(privkey_chunk) - 1)
+	{
+		ck_assert(privkey);
+		privkey->destroy(privkey);
+	}
+	else
+	{
+		ck_assert(!privkey);
+	}
+}
+END_TEST
+
+typedef struct privkey_mod_t privkey_mod_t;
+
+struct privkey_mod_t {
+	int offset;
+	char byte;
+};
+
+static privkey_mod_t privkey_mod[] = {
+	{   20, 0x80 },
+	{   22, 0xc1 },
+	{  920, 0x80 },
+	{  922, 0x85 },
+	{ 1052, 0x80 },
+	{ 1054, 0x8c }
+};
+
+START_TEST(test_bliss_keys_priv_mod)
+{
+	private_key_t *privkey;
+	chunk_t data;
+
+	data = chunk_clone(privkey_chunk[countof(privkey_chunk) - 1]);
+	data.ptr[privkey_mod[_i].offset] = privkey_mod[_i].byte;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+								 BUILD_BLOB, data, BUILD_END);
+	ck_assert(!privkey);
+	chunk_free(&data);
+}
+END_TEST
+
+static chunk_t pubkey_chunk[] = {
+	{NULL, 0},
+	chunk_from_chars(0x30, 0x00),
+	chunk_from_chars(0x30, 0x01),
+	chunk_from_chars(0x30, 0x02, 0x30, 0x00),
+	chunk_from_chars(0x30, 0x05, 0x30, 0x03, 0x06, 0x01, 0x01),
+	chunk_from_chars(0x30, 0x11, 0x30, 0x0F, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+					 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x04, 0x00),
+	chunk_from_chars(0x30, 0x12, 0x30, 0x10, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+					 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x01, 0x01),
+	chunk_from_chars(0x30, 0x1c, 0x30, 0x1a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+					 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x0b, 0x2b,
+					 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x06),
+	chunk_from_chars(0x30, 0x1e, 0x30, 0x1a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+					 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x0b, 0x2b,
+					 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x05,
+					 0x03, 0x00)
+};
+
+START_TEST(test_bliss_keys_pub)
+{
+	public_key_t *pubkey;
+
+	pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+								 BUILD_BLOB, pubkey_chunk[_i], BUILD_END);
+	ck_assert(!pubkey);
+}
+END_TEST
+
+Suite *bliss_keys_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bliss_keys");
+
+	tc = tcase_create("keys_priv");
+	tcase_add_loop_test(tc, test_bliss_keys_priv, 0, countof(privkey_chunk));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("keys_priv_mod");
+	tcase_add_loop_test(tc, test_bliss_keys_priv_mod, 0, countof(privkey_mod));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("keys_pub");
+	tcase_add_loop_test(tc, test_bliss_keys_pub, 0, countof(pubkey_chunk));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
new file mode 100644
index 000000000..1bd1266ad
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_sampler.h>
+
+static u_int key_size[] = { 1, 3, 4};
+
+START_TEST(test_bliss_sampler_gaussian)
+{
+	bliss_sampler_t *sampler;
+	bliss_param_set_t *set;
+	int i, k, count;
+	uint32_t hist[8], sign[3];
+	int32_t z;
+	hash_algorithm_t alg;
+	size_t seed_len;
+	chunk_t seed;
+
+	set = bliss_param_set_get_by_id(key_size[_i]);
+	alg = HASH_SHA256;
+	seed_len = 32;
+	count = 10000000;
+
+	seed = chunk_alloc(seed_len);
+	memset(seed.ptr, 0xcc, seed_len);
+
+	for (k = 0; k < 3; k++)
+	{
+		sign[k] = 0;
+	}
+	for (k = 0; k < 8; k++)
+	{
+		hist[k] = 0;
+	}
+
+	sampler = bliss_sampler_create(alg, seed, set);
+	for (i = 0; i < count; i++)
+	{
+		ck_assert(sampler->gaussian(sampler, &z));
+		if (z == 0)
+		{
+			sign[1]++;
+			hist[0]++;
+		}
+		else if (z > 0)
+		{
+			sign[2]++;
+			hist[z/256]++;
+		}
+		else
+		{
+			sign[0]++;
+			hist[(-z)/256]++;
+		}
+	}
+	sampler->destroy(sampler);
+	free(seed.ptr);
+
+	DBG1(DBG_LIB, "histogram");	
+	for (k = 0; k < 8; k++)
+	{
+		DBG1(DBG_LIB, "%d %7d", k, hist[k]);
+	}
+	DBG1(DBG_LIB, "- %7d", sign[0]);
+	DBG1(DBG_LIB, "0 %7d", sign[1]);
+	DBG1(DBG_LIB, "+ %7d", sign[2]);
+}
+END_TEST
+
+Suite *bliss_sampler_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bliss_sampler");
+
+	tc = tcase_create("sampler_gaussian");
+	tcase_set_timeout(tc, 10);
+	tcase_add_loop_test(tc, test_bliss_sampler_gaussian, 0, countof(key_size));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
new file mode 100644
index 000000000..8b4e9cbf0
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2014-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_private_key.h>
+#include <bliss_public_key.h>
+
+static u_int key_type[] = { 1, 3, 4 };
+static u_int key_strength[] = { 128, 160, 192 };
+
+START_TEST(test_bliss_sign_all)
+{
+	signature_scheme_t signature_scheme;
+	private_key_t *privkey, *privkey1;
+	public_key_t *pubkey, *pubkey1;
+	chunk_t msg, signature, privkey_blob, pubkey_blob, pubkey_fp, privkey_fp;
+	int k;
+
+	for (k = 0; k < 4; k++)
+	{
+		int verify_count = 1000;
+
+		switch (k)
+		{
+			case 1:
+				signature_scheme = SIGN_BLISS_WITH_SHA256;
+				break;
+			case 2:
+				signature_scheme = SIGN_BLISS_WITH_SHA384;
+				break;
+			default:
+				signature_scheme = SIGN_BLISS_WITH_SHA512;
+		}
+
+		/* enforce BLISS-B key for k = 2, 3 */
+		lib->settings->set_bool(lib->settings,
+				"%s.plugins.bliss.use_bliss_b", k >= 2, lib->ns);
+
+		msg = chunk_from_str("Hello Dolly!");
+
+		/* generate private key */
+		privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+									 BUILD_KEY_SIZE, key_type[_i], BUILD_END);
+		ck_assert(privkey);
+
+		/* generate ASN.1 DER and PEM encoding of private key */
+		ck_assert(privkey->get_encoding(privkey, (k % 2) ?
+				  PRIVKEY_ASN1_DER : PRIVKEY_PEM, &privkey_blob));
+
+		/* extract public key from private key */
+		pubkey = privkey->get_public_key(privkey);
+		ck_assert(pubkey);
+
+		/* generate ASN.1 DER and PEM encodings of public key */
+		ck_assert(pubkey->get_encoding(pubkey, (k % 2) ?
+				  PUBKEY_SPKI_ASN1_DER : PUBKEY_PEM, &pubkey_blob));
+
+		/* compare fingerprints of public and private key */
+		ck_assert(pubkey->get_fingerprint(pubkey, (k % 2) ?
+				  KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &pubkey_fp));
+		ck_assert(privkey->get_fingerprint(privkey, (k % 2) ?
+				  KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &privkey_fp));
+		ck_assert(chunk_equals(pubkey_fp, privkey_fp));
+
+		/* retrieve fingerprints of public and private key from cache */
+		ck_assert(pubkey->get_fingerprint(pubkey, (k % 2) ?
+				  KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &pubkey_fp));
+		ck_assert(privkey->get_fingerprint(privkey, (k % 2) ?
+				  KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &privkey_fp));
+
+		/* get a reference of the private key and destroy both instances */
+		privkey1 = privkey->get_ref(privkey);
+		ck_assert(privkey1);
+		ck_assert(privkey1 == privkey);
+		privkey->destroy(privkey);
+		privkey1->destroy(privkey1);
+
+		/* get a reference of the public key and destroy both instances */
+		pubkey1 = pubkey->get_ref(pubkey);
+		ck_assert(pubkey1);
+		ck_assert(pubkey1 == pubkey);
+		pubkey->destroy(pubkey);
+		pubkey1->destroy(pubkey1);
+
+		/* enforce BLISS-B key for k = 1, 3 */
+		lib->settings->set_bool(lib->settings,
+				"%s.plugins.bliss.use_bliss_b", k % 2, lib->ns);
+
+		/* load private key from ASN.1 blob */
+		privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+									 BUILD_BLOB, privkey_blob, BUILD_END);
+		ck_assert(privkey);
+		ck_assert(privkey->get_type(privkey) == KEY_BLISS);
+		ck_assert(privkey->get_keysize(privkey) == key_strength[_i]);
+		chunk_free(&privkey_blob);
+
+		/* load public key from ASN.1 blob */
+		pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+									BUILD_BLOB, pubkey_blob, BUILD_END);
+		ck_assert(pubkey);
+		ck_assert(pubkey->get_type(pubkey) == KEY_BLISS);
+		ck_assert(pubkey->get_keysize(pubkey) == key_strength[_i]);
+		chunk_free(&pubkey_blob);
+
+		/* generate and verify 1000 BLISS signatures */
+		while (verify_count--)
+		{
+			ck_assert(privkey->sign(privkey, signature_scheme, msg,
+									&signature));
+			ck_assert(pubkey->verify(pubkey, signature_scheme, msg,
+									 signature));
+			free(signature.ptr);
+		}
+		privkey->destroy(privkey);
+		pubkey->destroy(pubkey);
+	}
+}
+END_TEST
+
+START_TEST(test_bliss_sign_fail)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+	chunk_t msg, signature, encoding, fp;
+
+	/* generate non-supported BLISS-II private key */
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+								 BUILD_KEY_SIZE, BLISS_II, BUILD_END);
+	ck_assert(!privkey);
+
+	/* generate non-supported BLISS-B-II private key */
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+								 BUILD_KEY_SIZE, BLISS_B_II, BUILD_END);
+	ck_assert(!privkey);
+
+	/* generate supported BLISS-B-I private key */
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+								 BUILD_KEY_SIZE, BLISS_B_I, BUILD_END);
+	ck_assert(privkey);
+
+	/* wrong private key encoding format */
+	ck_assert(!privkey->get_encoding(privkey, PUBKEY_PEM, &encoding));
+
+	/* wrong fingerprint encoding format */
+	ck_assert(!privkey->get_fingerprint(privkey, KEYID_PGPV4, &fp));
+
+	/* extract public key */
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey);
+
+	/* wrong private key encoding format */
+	ck_assert(!pubkey->get_encoding(pubkey, PRIVKEY_PEM, &encoding));
+
+	/* wrong fingerprint encoding format */
+	ck_assert(!pubkey->get_fingerprint(pubkey, KEYID_PGPV4, &fp));
+
+	/* encryption / decryption operation is not defined for BLISS */
+	ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, chunk_empty, NULL));
+	ck_assert(!privkey->decrypt(privkey, ENCRYPT_UNKNOWN, chunk_empty, NULL));
+
+	/* sign with invalid signature scheme */
+	ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, msg, &signature));
+
+	/* generate valid signature */
+	msg = chunk_from_str("Hello Dolly!");
+	ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA512, msg, &signature));
+
+	/* verify with invalid signature scheme */
+	ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature));
+
+	/* corrupt signature */
+	signature.ptr[signature.len - 1] ^= 0x80;
+	ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA512, msg, signature));
+
+	free(signature.ptr);
+	privkey->destroy(privkey);
+	pubkey->destroy(pubkey);
+}
+END_TEST
+
+Suite *bliss_sign_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bliss_sign");
+
+	tc = tcase_create("sign_all");
+	test_case_set_timeout(tc, 30);
+	tcase_add_loop_test(tc, test_bliss_sign_all, 0, countof(key_type));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("sign_fail");
+	tcase_add_test(tc, test_bliss_sign_fail);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c
new file mode 100644
index 000000000..2a2f48c53
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_signature.h>
+
+static chunk_t data = chunk_from_chars(
+	0xC1, 0xA1, 0x96, 0x98, 0x4F, 0x60, 0xF5, 0xCA, 0x89, 0x9E,
+	0x78, 0xAF, 0x64, 0xDD, 0x01, 0x76, 0x04, 0x29, 0x11, 0xD0,
+	0x21, 0x9E, 0xE4, 0x2D, 0xC5, 0x82, 0x69, 0x19, 0x82, 0x75,
+	0x30, 0xAC, 0xB0, 0x64, 0xCB, 0x65, 0x19, 0x22, 0x4A, 0x03,
+	0x03, 0x61, 0x4A, 0x37, 0x8E, 0xA3, 0xB6, 0xB3, 0x58, 0x44,
+	0xFD, 0x68, 0x38, 0xF1, 0x4B, 0xCF, 0xE8, 0xA2, 0x05, 0x39,
+	0x87, 0xE0, 0x5E, 0x7C, 0x45, 0x33, 0x4A, 0xEB, 0x2E, 0xCF,
+	0x98, 0x01, 0x3D, 0x28, 0x60, 0xCE, 0x90, 0x45, 0xF0, 0x8E,
+	0x36, 0x25, 0x50, 0x8B, 0xA2, 0xC0, 0x6E, 0xDF, 0xC2, 0xA1,
+	0x35, 0xC1, 0x16, 0x14, 0xE8, 0x6A, 0xE3, 0x9C, 0x0B, 0x32,
+	0x53, 0x55, 0x60, 0x52, 0x43, 0x93, 0xBB, 0x9F, 0x1D, 0x17,
+	0xDC, 0x6E, 0x26, 0x99, 0x60, 0x83, 0x12, 0x53, 0xB0, 0x2B,
+	0x36, 0xE2, 0x95, 0xA7, 0xBF, 0x9B, 0xC0, 0x0A, 0x63, 0xD6,
+	0x32, 0xA9, 0xE2, 0xAD, 0x02, 0x53, 0x10, 0x81, 0x00, 0xD4,
+	0x9A, 0xC2, 0x04, 0x1B, 0x48, 0x53, 0x37, 0xF0, 0x95, 0x39,
+	0x4B, 0x2E, 0x37, 0x28, 0xE2, 0x70, 0xAD, 0xB5, 0xF1, 0x63,
+	0x48, 0x17, 0xEF, 0x45, 0xC0, 0x30, 0xA6, 0xAA, 0x37, 0x9A,
+	0x00, 0x8F, 0x8D, 0xAC, 0x66, 0x2C, 0x96, 0x8C, 0xC2, 0x74,
+	0x9D, 0x66, 0x16, 0x5D, 0x70, 0x70, 0x1D, 0x2F, 0x11, 0xBD,
+	0x11, 0x62, 0x58, 0xC6, 0xB2, 0xA6, 0xFA, 0xB7, 0x8C, 0x10,
+	0x6A, 0x13, 0x34, 0x25, 0xB8, 0xF2, 0x46, 0xE3, 0x08, 0xAD,
+	0x8D, 0x49, 0x33, 0x24, 0x37, 0xA5, 0x0A, 0xF9, 0x5E, 0x95,
+	0xF9, 0x50, 0xDA, 0x2B, 0x80, 0x4F, 0x10, 0x4F, 0xAB, 0xE4,
+	0x96, 0xB1, 0xA1, 0x28, 0xCE, 0x6D, 0xB6, 0x17, 0x33, 0x2A,
+	0xE0, 0xC3, 0x80, 0xAA, 0x3D, 0x1A, 0x5C, 0x48, 0xA0, 0x48,
+	0x60, 0xCC, 0xC7, 0x29, 0x4F, 0xB8, 0x96, 0xDF, 0xC6, 0x6A,
+	0xC2, 0x83, 0x5E, 0xFC, 0xD7, 0x4E, 0xCA, 0x14, 0xB4, 0xC6,
+	0x30, 0x29, 0xC7, 0xCE, 0x79, 0x42, 0x2D, 0x22, 0x28, 0x99,
+	0x59, 0x14, 0xFB, 0x04, 0xAD, 0x79, 0x3C, 0x74, 0x34, 0xC6,
+	0x7A, 0x1C, 0x13, 0x07, 0x17, 0xB1, 0x8A, 0x02, 0xA7, 0x70,
+	0x3C, 0x5B, 0xBA, 0x88, 0xA2, 0xE6, 0x4B, 0x2A, 0xC1, 0x1E,
+	0x42, 0xDD, 0x83, 0x2B, 0x00, 0xCC, 0xF8, 0x80, 0x03, 0x7E,
+	0x97, 0xA4, 0x04, 0xE1, 0xB2, 0x0B, 0xE2, 0xF3, 0x91, 0x91,
+	0x80, 0xA0, 0xC5, 0x44, 0x67, 0xB1, 0x56, 0xD0, 0x13, 0x58,
+	0x7B, 0x6E, 0x12, 0xE7, 0x3A, 0x90, 0xE4, 0x2C, 0x44, 0x17,
+	0xA3, 0xBD, 0x21, 0x68, 0x45, 0x61, 0x20, 0x57, 0x8D, 0x4A,
+	0xF1, 0xE6, 0xD3, 0x17, 0xC9, 0xB0, 0xF8, 0x3A, 0x87, 0x6A,
+	0x7E, 0x25, 0x45, 0xDC, 0x9A, 0x1D, 0xAC, 0x10, 0xB6, 0xF6,
+	0x07, 0x4C, 0x50, 0x92, 0xF9, 0xE1, 0x3E, 0xAD, 0x3B, 0x80,
+	0x20, 0xA8, 0x34, 0x04, 0xD6, 0x0D, 0x2D, 0x46, 0x69, 0x5E,
+	0x8C, 0x4B, 0xB0, 0x1C, 0x37, 0xD8, 0x0D, 0x72, 0x7B, 0xE6,
+	0xEE, 0x04, 0x81, 0x98, 0x78, 0x69, 0x88, 0xD8, 0xDF, 0x04,
+	0xF0, 0x80, 0xE2, 0x0A, 0xD3, 0x60, 0x94, 0xDF, 0x49, 0xF7,
+	0x52, 0x95, 0xA6, 0xAF, 0x8C, 0x13, 0x10, 0x09, 0xAA, 0x03,
+	0xAC, 0x2C, 0x89, 0x2D, 0x2C, 0x61, 0x0F, 0xBE, 0x5C, 0x29,
+	0x01, 0x7C, 0x9E, 0xD2, 0xFF, 0x34, 0xA1, 0x9E, 0xEE, 0xBF,
+	0x28, 0x18, 0x3A, 0x17, 0xA6, 0x40, 0x94, 0xD5, 0xC4, 0xEC,
+	0x27, 0x0A, 0x40, 0x1C, 0xC4, 0x16, 0x80, 0x4E, 0x6F, 0xDD,
+	0xA5, 0x6A, 0x03, 0xE8, 0xBA, 0xB2, 0xAA, 0x7A, 0x7F, 0x4B,
+	0x30, 0x11, 0x11, 0x12, 0x4A, 0xFE, 0xB2, 0x99, 0xC6, 0x12,
+	0x1A, 0x98, 0xC0, 0x15, 0x41, 0xE1, 0x55, 0x35, 0x54, 0xF2,
+	0x1C, 0xE2, 0x78, 0x85, 0x66, 0xD3, 0x9C, 0x8A, 0x88, 0x7C,
+	0x86, 0x7F, 0x48, 0xBE, 0xB7, 0x1C, 0xE4, 0xCF, 0x35, 0xEE,
+	0x24, 0xA6, 0x62, 0xD6, 0x36, 0x1F, 0x66, 0x10, 0x5D, 0xEF,
+	0x07, 0x64, 0xA8, 0xD0, 0xAD, 0x2F, 0x47, 0x02, 0xA2, 0x0F,
+	0x73, 0x96, 0x2A, 0x21, 0x20, 0x36, 0x01, 0xA3, 0x2F, 0x5E,
+	0xC8, 0x80, 0x3A, 0x54, 0xA6, 0xB5, 0xD0, 0x19, 0xBF, 0xC4,
+	0x35, 0x01, 0x0B, 0x2A, 0x8E, 0x61, 0x4A, 0xDD, 0xB2, 0x4A,
+	0xE1, 0x0C, 0x15, 0x94, 0x9C, 0xD2, 0x54, 0x93, 0x85, 0x16,
+	0x49, 0x69, 0xA0, 0x41, 0x34, 0x16, 0x69, 0x28, 0x74, 0x11,
+	0x88, 0x44, 0xC8, 0x46, 0x5E, 0x62, 0xFF, 0x6E, 0xC5, 0xA8,
+	0xE8, 0x8A, 0x8A, 0xFA, 0x2D, 0x94, 0x14, 0xD4, 0x51, 0x16,
+	0xB0, 0x40, 0xDC, 0xF3, 0xAA, 0x97, 0x39, 0x1A, 0xDA, 0x7F,
+	0x41, 0x61, 0x25, 0x1E, 0xDF, 0x46, 0x29, 0x44, 0x80, 0xEA,
+	0x10, 0xE4, 0x0F, 0x94, 0xA6, 0x52, 0x20, 0x06, 0x9C, 0x69,
+	0x48, 0x1F, 0x45, 0x30, 0x4B, 0x21, 0x02, 0xE6, 0xF3, 0x44,
+	0x35, 0xC1, 0xC8, 0xC9, 0x68, 0x6C, 0x43, 0xA4, 0x56, 0x07,
+	0x36, 0x11, 0xFB, 0x6D, 0x8E, 0xF0, 0x62, 0x5A, 0x3C, 0x8B,
+	0x23, 0xF1, 0x46, 0xE2, 0x76, 0x2A, 0x6F, 0xBB, 0x09, 0x24,
+	0x18, 0x64, 0xE6, 0x5C, 0xD0, 0x85, 0x69, 0xF0, 0x4F, 0x66,
+	0x97, 0x40, 0x01, 0x27, 0xD1, 0x41, 0xCC, 0xEB, 0x4D, 0xB7,
+	0x04, 0xC4, 0x91, 0xE0, 0x95, 0x8A, 0x43, 0x26, 0x2D, 0x1F,
+	0x88, 0xA0, 0xD8
+);
+
+START_TEST(test_bliss_signature_fail)
+{
+	bliss_param_set_t set2 = { .id = BLISS_B_II };
+	bliss_param_set_t *set;
+	bliss_signature_t *signature;
+	chunk_t encoding;
+	int k;
+
+	signature = bliss_signature_create(&set2);
+	ck_assert(signature);
+	encoding = signature->get_encoding(signature);
+	ck_assert(encoding.len == 0);
+	signature->destroy(signature);
+
+	signature  = bliss_signature_create_from_data(&set2, data);
+	ck_assert(!signature);
+
+	set = bliss_param_set_get_by_id(BLISS_B_I);
+	ck_assert(set);
+
+	for (k = 0; k < data.len - 2; k++)
+	{
+		chunk_t fragment = { data.ptr, k };
+
+		signature  = bliss_signature_create_from_data(set, fragment);
+		ck_assert(!signature);
+	}
+	signature  = bliss_signature_create_from_data(set, data);
+	ck_assert(signature);
+	signature->destroy(signature);
+}
+END_TEST
+
+Suite *bliss_signature_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bliss_signature");
+
+	tc = tcase_create("signature_fail");
+	tcase_add_test(tc, test_bliss_signature_fail);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 33e5958ed..f19616552 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 43bdf1fc5..ca7cadbe4 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 7c5674045..9e249399b 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/cmac/cmac.c b/src/libstrongswan/plugins/cmac/cmac.c
index c8cb7fbf2..4f222ff4e 100644
--- a/src/libstrongswan/plugins/cmac/cmac.c
+++ b/src/libstrongswan/plugins/cmac/cmac.c
@@ -247,6 +247,9 @@ METHOD(mac_t, set_key, bool,
 {
 	chunk_t resized, iv, l;
 
+	memset(this->t, 0, this->b);
+	this->remaining_bytes = 0;
+
 	/* we support variable keys as defined in RFC 4615 */
 	if (key.len == this->b)
 	{
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 39469368c..2e623ad3b 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 62ccc7108..a0f4a7465 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -52,16 +52,67 @@ static bool check_pathlen(x509_t *issuer, int pathlen)
 }
 
 /**
- * Check if a FQDN/RFC822 constraint matches (suffix match)
+ * Check if a FQDN constraint matches
  */
-static bool suffix_matches(identification_t *constraint, identification_t *id)
+static bool fqdn_matches(identification_t *constraint, identification_t *id)
 {
-	chunk_t c, i;
+	chunk_t c, i, diff;
 
 	c = constraint->get_encoding(constraint);
 	i = id->get_encoding(id);
 
-	return i.len >= c.len && chunk_equals(c, chunk_skip(i, i.len - c.len));
+	if (!c.len || i.len < c.len)
+	{
+		return FALSE;
+	}
+	diff = chunk_create(i.ptr, i.len - c.len);
+	if (!chunk_equals(c, chunk_skip(i, diff.len)))
+	{
+		return FALSE;
+	}
+	if (!diff.len)
+	{
+		return TRUE;
+	}
+	if (c.ptr[0] == '.' || diff.ptr[diff.len - 1] == '.')
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Check if a RFC822 constraint matches
+ */
+static bool email_matches(identification_t *constraint, identification_t *id)
+{
+	chunk_t c, i, diff;
+
+	c = constraint->get_encoding(constraint);
+	i = id->get_encoding(id);
+
+	if (!c.len || i.len < c.len)
+	{
+		return FALSE;
+	}
+	if (memchr(c.ptr, '@', c.len))
+	{	/* constraint is a full email address */
+		return chunk_equals(c, i);
+	}
+	diff = chunk_create(i.ptr, i.len - c.len);
+	if (!diff.len || !chunk_equals(c, chunk_skip(i, diff.len)))
+	{
+		return FALSE;
+	}
+	if (c.ptr[0] == '.')
+	{	/* constraint is domain, suffix match */
+		return TRUE;
+	}
+	if (diff.ptr[diff.len - 1] == '@')
+	{	/* constraint is host specific, only username can be appended */
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
@@ -121,8 +172,10 @@ static bool name_constraint_matches(identification_t *constraint,
 			switch (type)
 			{
 				case ID_FQDN:
+					matches = fqdn_matches(constraint, id);
+					break;
 				case ID_RFC822_ADDR:
-					matches = suffix_matches(constraint, id);
+					matches = email_matches(constraint, id);
 					break;
 				case ID_DER_ASN1_DN:
 					matches = dn_matches(constraint, id);
@@ -151,7 +204,7 @@ static bool name_constraint_inherited(identification_t *constraint,
 									  x509_t *x509, bool permitted)
 {
 	enumerator_t *enumerator;
-	identification_t *id;
+	identification_t *id, *a, *b;
 	bool inherited = FALSE;
 	id_type_t type;
 
@@ -166,28 +219,26 @@ static bool name_constraint_inherited(identification_t *constraint,
 	{
 		if (id->get_type(id) == type)
 		{
+			if (permitted)
+			{	/* permitted constraint can be narrowed */
+				a = constraint;
+				b = id;
+			}
+			else
+			{	/* excluded constraint can be widened */
+				a = id;
+				b = constraint;
+			}
 			switch (type)
 			{
 				case ID_FQDN:
+					inherited = fqdn_matches(a, b);
+					break;
 				case ID_RFC822_ADDR:
-					if (permitted)
-					{	/* permitted constraint can be narrowed */
-						inherited = suffix_matches(constraint, id);
-					}
-					else
-					{	/* excluded constraint can be widened */
-						inherited = suffix_matches(id, constraint);
-					}
+					inherited = email_matches(a, b);
 					break;
 				case ID_DER_ASN1_DN:
-					if (permitted)
-					{
-						inherited = dn_matches(constraint, id);
-					}
-					else
-					{
-						inherited = dn_matches(id, constraint);
-					}
+					inherited = dn_matches(a, b);
 					break;
 				default:
 					DBG1(DBG_CFG, "%N NameConstraint matching not implemented",
@@ -298,8 +349,7 @@ static bool has_policy(x509_t *issuer, chunk_t oid)
 /**
  * Check certificatePolicies.
  */
-static bool check_policy(x509_t *subject, x509_t *issuer, bool check,
-						 auth_cfg_t *auth)
+static bool check_policy(x509_t *subject, x509_t *issuer)
 {
 	certificate_t *cert = (certificate_t*)subject;
 	x509_policy_mapping_t *mapping;
@@ -323,33 +373,85 @@ static bool check_policy(x509_t *subject, x509_t *issuer, bool check,
 	}
 	enumerator->destroy(enumerator);
 
-	if (check)
+	enumerator = subject->create_cert_policy_enumerator(subject);
+	while (enumerator->enumerate(enumerator, &policy))
+	{
+		if (!has_policy(issuer, policy->oid))
+		{
+			oid = asn1_oid_to_string(policy->oid);
+			DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'",
+				 oid, cert->get_issuer(cert));
+			free(oid);
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return TRUE;
+}
+
+/**
+ * Check if a given policy is valid under a trustchain
+ */
+static bool is_policy_valid(linked_list_t *chain, chunk_t oid)
+{
+	x509_policy_mapping_t *mapping;
+	x509_cert_policy_t *policy;
+	x509_t *issuer;
+	enumerator_t *issuers, *policies, *mappings;
+	bool found = TRUE;
+
+	issuers = chain->create_enumerator(chain);
+	while (issuers->enumerate(issuers, &issuer))
 	{
-		enumerator = subject->create_cert_policy_enumerator(subject);
-		while (enumerator->enumerate(enumerator, &policy))
+		int maxmap = 8;
+
+		while (found)
 		{
-			if (!has_policy(issuer, policy->oid))
+			found = FALSE;
+
+			policies = issuer->create_cert_policy_enumerator(issuer);
+			while (policies->enumerate(policies, &policy))
 			{
-				oid = asn1_oid_to_string(policy->oid);
-				DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'",
-					 oid, cert->get_issuer(cert));
-				free(oid);
-				enumerator->destroy(enumerator);
-				return FALSE;
+				if (chunk_equals(oid, policy->oid) ||
+					chunk_equals(any_policy, policy->oid))
+				{
+					found = TRUE;
+					break;
+				}
 			}
-			if (auth)
+			policies->destroy(policies);
+			if (found)
 			{
-				oid = asn1_oid_to_string(policy->oid);
-				if (oid)
+				break;
+			}
+			/* fall back to a mapped policy */
+			mappings = issuer->create_policy_mapping_enumerator(issuer);
+			while (mappings->enumerate(mappings, &mapping))
+			{
+				if (chunk_equals(mapping->subject, oid))
 				{
-					auth->add(auth, AUTH_RULE_CERT_POLICY, oid);
+					oid = mapping->issuer;
+					found = TRUE;
+					break;
 				}
 			}
+			mappings->destroy(mappings);
+			if (--maxmap == 0)
+			{
+				found = FALSE;
+				break;
+			}
+		}
+		if (!found)
+		{
+			break;
 		}
-		enumerator->destroy(enumerator);
 	}
+	issuers->destroy(issuers);
 
-	return TRUE;
+	return found;
 }
 
 /**
@@ -364,7 +466,7 @@ static bool has_policy_chain(linked_list_t *chain, x509_t *subject, int len)
 	enumerator = chain->create_enumerator(chain);
 	while (len-- > 0 && enumerator->enumerate(enumerator, &issuer))
 	{
-		if (!check_policy(subject, issuer, TRUE, NULL))
+		if (!check_policy(subject, issuer))
 		{
 			valid = FALSE;
 			break;
@@ -450,6 +552,7 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
 	{
 		if (subject->get_type(subject) == CERT_X509)
 		{
+			x509_cert_policy_t *policy;
 			enumerator_t *enumerator;
 			linked_list_t *chain;
 			certificate_t *cert;
@@ -457,6 +560,7 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
 			x509_t *x509;
 			int len = 0;
 			u_int expl, inh;
+			char *oid;
 
 			/* prepare trustchain to validate */
 			chain = linked_list_create();
@@ -517,6 +621,31 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
 			}
 			enumerator->destroy(enumerator);
 
+			if (valid)
+			{
+				x509 = (x509_t*)subject;
+
+				enumerator = x509->create_cert_policy_enumerator(x509);
+				while (enumerator->enumerate(enumerator, &policy))
+				{
+					oid = asn1_oid_to_string(policy->oid);
+					if (oid)
+					{
+						if (is_policy_valid(chain, policy->oid))
+						{
+							auth->add(auth, AUTH_RULE_CERT_POLICY, oid);
+						}
+						else
+						{
+							DBG1(DBG_CFG, "certificate policy %s for '%Y' "
+								 "not allowed by trustchain, ignored",
+								 oid, subject->get_subject(subject));
+							free(oid);
+						}
+					}
+				}
+				enumerator->destroy(enumerator);
+			}
 			chain->destroy(chain);
 		}
 	}
@@ -543,12 +672,6 @@ METHOD(cert_validator_t, validate, bool,
 									subject);
 			return FALSE;
 		}
-		if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth))
-		{
-			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
-									subject);
-			return FALSE;
-		}
 		if (anchor)
 		{
 			if (!check_policy_constraints((x509_t*)issuer, pathlen, auth))
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 4b397e85d..7b7231b85 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 2e221c8b4..d525eac02 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 0025a2b20..96b2f6055 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 0b30923a5..910289906 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/files/Makefile.am b/src/libstrongswan/plugins/files/Makefile.am
new file mode 100644
index 000000000..67767495c
--- /dev/null
+++ b/src/libstrongswan/plugins/files/Makefile.am
@@ -0,0 +1,16 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-files.la
+else
+plugin_LTLIBRARIES = libstrongswan-files.la
+endif
+
+libstrongswan_files_la_SOURCES = \
+	files_plugin.h files_plugin.c files_fetcher.c files_fetcher.h
+
+libstrongswan_files_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in
new file mode 100644
index 000000000..31dc4a3ac
--- /dev/null
+++ b/src/libstrongswan/plugins/files/Makefile.in
@@ -0,0 +1,775 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/files
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_files_la_LIBADD =
+am_libstrongswan_files_la_OBJECTS = files_plugin.lo files_fetcher.lo
+libstrongswan_files_la_OBJECTS = $(am_libstrongswan_files_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_files_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_files_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_files_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_files_la_rpath =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_files_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_files_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-files.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-files.la
+libstrongswan_files_la_SOURCES = \
+	files_plugin.h files_plugin.c files_fetcher.c files_fetcher.h
+
+libstrongswan_files_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/files/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/files/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libstrongswan-files.la: $(libstrongswan_files_la_OBJECTS) $(libstrongswan_files_la_DEPENDENCIES) $(EXTRA_libstrongswan_files_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_files_la_LINK) $(am_libstrongswan_files_la_rpath) $(libstrongswan_files_la_OBJECTS) $(libstrongswan_files_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/files_fetcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/files_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/files/files_fetcher.c b/src/libstrongswan/plugins/files/files_fetcher.c
new file mode 100644
index 000000000..e0b7cbdb6
--- /dev/null
+++ b/src/libstrongswan/plugins/files/files_fetcher.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include "files_fetcher.h"
+
+typedef struct private_files_fetcher_t private_files_fetcher_t;
+
+/**
+ * private data of a files_fetcher_t object.
+ */
+struct private_files_fetcher_t {
+
+	/**
+	 * Public data
+	 */
+	files_fetcher_t public;
+
+	/**
+	 * Callback function
+	 */
+	fetcher_callback_t cb;
+};
+
+METHOD(fetcher_t, fetch, status_t,
+	private_files_fetcher_t *this, char *uri, void *userdata)
+{
+	chunk_t *data;
+	status_t status = FAILED;
+
+	if (this->cb == fetcher_default_callback)
+	{
+		*(chunk_t*)userdata = chunk_empty;
+	}
+	if (!strpfx(uri, "file://"))
+	{
+		return NOT_SUPPORTED;
+	}
+	uri = uri + strlen("file://");
+	data = chunk_map(uri, FALSE);
+	if (!data)
+	{
+		DBG1(DBG_LIB, "  opening '%s' failed: %s", uri, strerror(errno));
+		return FAILED;
+	}
+	if (this->cb(userdata, *data))
+	{
+		status = SUCCESS;
+	}
+	chunk_unmap(data);
+	return status;
+}
+
+METHOD(fetcher_t, set_option, bool,
+	private_files_fetcher_t *this, fetcher_option_t option, ...)
+{
+	bool supported = TRUE;
+	va_list args;
+
+	va_start(args, option);
+	switch (option)
+	{
+		case FETCH_CALLBACK:
+		{
+			this->cb = va_arg(args, fetcher_callback_t);
+			break;
+		}
+		default:
+			supported = FALSE;
+			break;
+	}
+	va_end(args);
+	return supported;
+}
+
+METHOD(fetcher_t, destroy, void,
+	private_files_fetcher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+files_fetcher_t *files_fetcher_create()
+{
+	private_files_fetcher_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.fetch = _fetch,
+				.set_option = _set_option,
+				.destroy = _destroy,
+			},
+		},
+		.cb = fetcher_default_callback,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libstrongswan/plugins/files/files_fetcher.h
index 169292e9b..7fc4ec98e 100644
--- a/src/libcharon/plugins/unit_tester/tests.h
+++ b/src/libstrongswan/plugins/files/files_fetcher.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2015 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,17 +14,29 @@
  */
 
 /**
- * @defgroup tests tests
- * @{ @ingroup unit_tester
+ * @defgroup files_fetcher files_fetcher
+ * @{ @ingroup files_p
  */
 
-DEFINE_TEST("auth cfg", test_auth_cfg, FALSE)
-DEFINE_TEST("CURL get", test_curl_get, FALSE)
-DEFINE_TEST("MySQL operations", test_mysql, FALSE)
-DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
-DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
-DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
-DEFINE_TEST("IP pool", test_pool, FALSE)
-DEFINE_TEST("SSH agent", test_agent, FALSE)
+#ifndef FILES_FETCHER_H_
+#define FILES_FETCHER_H_
 
-/** @}*/
+typedef struct files_fetcher_t files_fetcher_t;
+
+/**
+ * Fetcher implementation loading local files
+ */
+struct files_fetcher_t {
+
+	/**
+	 * Implements fetcher interface
+	 */
+	fetcher_t interface;
+};
+
+/**
+ * Create a files_fetcher instance.
+ */
+files_fetcher_t *files_fetcher_create();
+
+#endif /** FILES_FETCHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/files/files_plugin.c b/src/libstrongswan/plugins/files/files_plugin.c
new file mode 100644
index 000000000..6ab735dab
--- /dev/null
+++ b/src/libstrongswan/plugins/files/files_plugin.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "files_plugin.h"
+#include "files_fetcher.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_files_plugin_t private_files_plugin_t;
+
+/**
+ * private data of files_plugin
+ */
+struct private_files_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	files_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_files_plugin_t *this)
+{
+	return "files";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_files_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(FETCHER, files_fetcher_create),
+			PLUGIN_PROVIDE(FETCHER, "file://"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_files_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *files_plugin_create()
+{
+	private_files_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.h b/src/libstrongswan/plugins/files/files_plugin.h
index 08784f6f4..c121b9652 100644
--- a/src/libcharon/plugins/unit_tester/unit_tester.h
+++ b/src/libstrongswan/plugins/files/files_plugin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2015 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,31 +14,29 @@
  */
 
 /**
- * @defgroup unit_tester unit_tester
- * @{ @ingroup cplugins
+ * @defgroup files_p files
+ * @ingroup plugins
+ *
+ * @defgroup files_plugin files_plugin
+ * @{ @ingroup files_p
  */
 
-#ifndef UNIT_TESTER_H_
-#define UNIT_TESTER_H_
+#ifndef FILES_PLUGIN_H_
+#define FILES_PLUGIN_H_
 
 #include <plugins/plugin.h>
 
-typedef struct unit_tester_t unit_tester_t;
+typedef struct files_plugin_t files_plugin_t;
 
 /**
- * Unit testing plugin.
- *
- * The unit testing plugin runs tests on plugin initialization. Tests are
- * defined in tests.h using the DEFINE_TEST macro. Implementation of the
- * tests is done in the tests folder. Each test has uses a function which
- * returns TRUE for success or FALSE for failure.
+ * Plugin implementing fetcher interface loading local files directly.
  */
-struct unit_tester_t {
+struct files_plugin_t {
 
 	/**
-	 * Implements the plugin interface.
+	 * implements plugin interface
 	 */
 	plugin_t plugin;
 };
 
-#endif /** UNIT_TESTER_H_ @}*/
+#endif /** FILES_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 64ae66559..b7ca1ce97 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index 23825078e..25accf996 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -116,6 +116,12 @@ METHOD(prf_t, get_bytes, bool,
 	u_int8_t *xkey = this->key;
 	u_int8_t one[this->b];
 
+	if (!w)
+	{
+		/* append mode is not supported */
+		return FALSE;
+	}
+
 	memset(one, 0, this->b);
 	one[this->b - 1] = 0x01;
 
@@ -250,4 +256,3 @@ fips_prf_t *fips_prf_create(pseudo_random_function_t algo)
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 511bfc365..e125ab884 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 0c7d22d71..4ce7438fc 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index f418b941d..744ec0bbf 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -35,7 +35,7 @@ struct private_gcrypt_dh_t {
 	/**
 	 * Diffie Hellman group number
 	 */
-	u_int16_t group;
+	diffie_hellman_group_t group;
 
 	/*
 	 * Generator value
@@ -73,12 +73,17 @@ struct private_gcrypt_dh_t {
 	size_t p_len;
 };
 
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
 	private_gcrypt_dh_t *this, chunk_t value)
 {
 	gcry_mpi_t p_min_1;
 	gcry_error_t err;
 
+	if (!diffie_hellman_verify_value(this->group, value))
+	{
+		return FALSE;
+	}
+
 	if (this->yb)
 	{
 		gcry_mpi_release(this->yb);
@@ -88,7 +93,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi yb failed: %s", gpg_strerror(err));
-		return;
+		return FALSE;
 	}
 
 	p_min_1 = gcry_mpi_new(this->p_len * 8);
@@ -112,6 +117,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 			 " y < 2 || y > p - 1 ");
 	}
 	gcry_mpi_release(p_min_1);
+	return this->zz != NULL;
 }
 
 /**
@@ -132,21 +138,22 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len)
 	return chunk;
 }
 
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
 	private_gcrypt_dh_t *this, chunk_t *value)
 {
 	*value = export_mpi(this->ya, this->p_len);
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
 	private_gcrypt_dh_t *this, chunk_t *secret)
 {
 	if (!this->zz)
 	{
-		return FAILED;
+		return FALSE;
 	}
 	*secret = export_mpi(this->zz, this->p_len);
-	return SUCCESS;
+	return TRUE;
 }
 
 METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index eab4a0047..788cb931e 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index b74d35169..4fcb168fa 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t {
 	/**
 	 * Diffie Hellman group number.
 	 */
-	u_int16_t group;
+	diffie_hellman_group_t group;
 
 	/*
 	 * Generator value.
@@ -85,11 +85,16 @@ struct private_gmp_diffie_hellman_t {
 	bool computed;
 };
 
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
 	private_gmp_diffie_hellman_t *this, chunk_t value)
 {
 	mpz_t p_min_1;
 
+	if (!diffie_hellman_verify_value(this->group, value))
+	{
+		return FALSE;
+	}
+
 	mpz_init(p_min_1);
 	mpz_sub_ui(p_min_1, this->p, 1);
 
@@ -142,9 +147,10 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 			 " y < 2 || y > p - 1 ");
 	}
 	mpz_clear(p_min_1);
+	return this->computed;
 }
 
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
 	private_gmp_diffie_hellman_t *this,chunk_t *value)
 {
 	value->len = this->p_len;
@@ -153,22 +159,23 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
 	{
 		value->len = 0;
 	}
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
 	private_gmp_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
-		return FAILED;
+		return FALSE;
 	}
 	secret->len = this->p_len;
 	secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
 	if (secret->ptr == NULL)
 	{
-		return FAILED;
+		return FALSE;
 	}
-	return SUCCESS;
+	return TRUE;
 }
 
 METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
@@ -245,7 +252,7 @@ static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group,
 		*random.ptr &= 0x7F;
 	}
 	mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
-	chunk_free(&random);
+	chunk_clear(&random);
 	DBG2(DBG_LIB, "size of DH secret exponent: %u bits",
 		 mpz_sizeinbase(this->xa, 2));
 
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index bf34e4c9f..a8c39cbab 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index 44cb46b4d..96a14aed9 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -103,7 +103,8 @@ METHOD(mac_t, set_key, bool,
 	if (key.len > this->b)
 	{
 		/* if key is too long, it will be hashed */
-		if (!this->h->get_hash(this->h, key, buffer))
+		if (!this->h->reset(this->h) ||
+			!this->h->get_hash(this->h, key, buffer))
 		{
 			return FALSE;
 		}
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 17faa569d..8f6a6f54d 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 332a587c9..5316323a4 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 91fe8c45f..d5f9c6c81 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index ba6cb0cf6..1dd3892cd 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index bca4562d6..e2fb7e720 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 0d15d7c2e..0b51ba5d8 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am
index b959afa8e..c9fcee982 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.am
+++ b/src/libstrongswan/plugins/ntru/Makefile.am
@@ -16,7 +16,6 @@ libstrongswan_ntru_la_SOURCES = \
 	ntru_convert.h ntru_convert.c \
 	ntru_drbg.h ntru_drbg.c \
 	ntru_ke.h ntru_ke.c \
-	ntru_mgf1.h ntru_mgf1.c \
 	ntru_param_set.h ntru_param_set.c \
 	ntru_poly.h ntru_poly.c \
 	ntru_public_key.h ntru_public_key.c \
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
index e57a3673e..5636692ab 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.in
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -129,9 +129,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ntru_la_LIBADD =
 am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_convert.lo \
-	ntru_drbg.lo ntru_ke.lo ntru_mgf1.lo ntru_param_set.lo \
-	ntru_poly.lo ntru_public_key.lo ntru_private_key.lo \
-	ntru_trits.lo
+	ntru_drbg.lo ntru_ke.lo ntru_param_set.lo ntru_poly.lo \
+	ntru_public_key.lo ntru_private_key.lo ntru_trits.lo
 libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -229,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -438,7 +442,6 @@ libstrongswan_ntru_la_SOURCES = \
 	ntru_convert.h ntru_convert.c \
 	ntru_drbg.h ntru_drbg.c \
 	ntru_ke.h ntru_ke.c \
-	ntru_mgf1.h ntru_mgf1.c \
 	ntru_param_set.h ntru_param_set.c \
 	ntru_poly.h ntru_poly.c \
 	ntru_public_key.h ntru_public_key.c \
@@ -539,7 +542,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_convert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_drbg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_ke.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_mgf1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_param_set.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_poly.Plo@am__quote@
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
index abaa22336..3b5df81d9 100644
--- a/src/libstrongswan/plugins/ntru/ntru_ke.c
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -56,7 +56,7 @@ struct private_ntru_ke_t {
 	/**
 	 * Diffie Hellman group number.
 	 */
-	u_int16_t group;
+	diffie_hellman_group_t group;
 
 	/**
 	 * NTRU Parameter Set
@@ -106,10 +106,10 @@ struct private_ntru_ke_t {
 	/**
 	 * Deterministic Random Bit Generator
 	 */
-    ntru_drbg_t *drbg;
+	ntru_drbg_t *drbg;
 };
 
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
 	private_ntru_ke_t *this, chunk_t *value)
 {
 	*value = chunk_empty;
@@ -130,30 +130,30 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
 			if (!this->privkey)
 			{
 				DBG1(DBG_LIB, "NTRU keypair generation failed");
-				return;
+				return FALSE;
 			}
 			this->pubkey = this->privkey->get_public_key(this->privkey);
 		}
 		*value = chunk_clone(this->pubkey->get_encoding(this->pubkey));
 		DBG3(DBG_LIB, "NTRU public key: %B", value);
 	}
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
 	private_ntru_ke_t *this, chunk_t *secret)
 {
 	if (!this->computed || !this->shared_secret.len)
 	{
 		*secret = chunk_empty;
-		return FAILED;
+		return FALSE;
 	}
 	*secret = chunk_clone(this->shared_secret);
 
-	return SUCCESS;
+	return TRUE;
 }
 
-
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
 	private_ntru_ke_t *this, chunk_t value)
 {
 	if (this->privkey)
@@ -162,15 +162,15 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 		if (value.len == 0)
 		{
 			DBG1(DBG_LIB, "empty NTRU ciphertext");
-			return;
+			return FALSE;
 		}
 		DBG3(DBG_LIB, "NTRU ciphertext: %B", &value);
 
 		/* decrypt the shared secret */
- 		if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret))
+		if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret))
 		{
 			DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
-			return;
+			return FALSE;
 		}
 		this->computed = TRUE;
 	}
@@ -185,13 +185,13 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 		pubkey = ntru_public_key_create_from_data(this->drbg, value);
 		if (!pubkey)
 		{
-			return;
+			return FALSE;
 		}
 		if (pubkey->get_id(pubkey) != this->param_set->id)
 		{
 			DBG1(DBG_LIB, "received NTRU public key with wrong OUI");
 			pubkey->destroy(pubkey);
-			return;
+			return FALSE;
 		}
 		this->pubkey = pubkey;
 
@@ -204,7 +204,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 		{
 			DBG1(DBG_LIB, "generation of shared secret failed");
 			chunk_free(&this->shared_secret);
-			return;
+			return FALSE;
 		}
 		this->computed = TRUE;
 
@@ -212,10 +212,11 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 		if (!pubkey->encrypt(pubkey, this->shared_secret, &this->ciphertext))
 		{
 			DBG1(DBG_LIB, "NTRU encryption of shared secret failed");
-			return;
+			return FALSE;
 		}
 		DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
 	}
+	return this->computed;
 }
 
 METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
@@ -301,10 +302,10 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 
 	drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
 	if (!drbg)
- 	{
+	{
 		DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength);
 		entropy->destroy(entropy);
-        return NULL;
+		return NULL;
 	}
 
 	INIT(this,
@@ -326,4 +327,3 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c
index 77ab54a5c..cb11601cd 100644
--- a/src/libstrongswan/plugins/ntru/ntru_poly.c
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.c
@@ -16,8 +16,8 @@
  */
 
 #include "ntru_poly.h"
-#include "ntru_mgf1.h"
 
+#include <crypto/mgf1/mgf1_bitspender.h>
 #include <utils/debug.h>
 #include <utils/test.h>
 
@@ -297,22 +297,17 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
 										bool is_product_form)
 {
 	private_ntru_poly_t *this;
-	size_t hash_len, octet_count = 0, i;
-	uint8_t octets[HASH_SIZE_SHA512], *used, num_left = 0, num_needed;
-	uint16_t index, limit, left = 0;
 	int n, num_indices, index_i = 0;
-	ntru_mgf1_t *mgf1;
+	uint32_t index, limit;
+	uint8_t *used;
+	mgf1_bitspender_t *bitspender;
 
-	DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len);
-	mgf1 = ntru_mgf1_create(alg, seed, TRUE);
-	if (!mgf1)
+	bitspender = mgf1_bitspender_create(alg, seed, TRUE);
+	if (!bitspender)
 	{
 	    return NULL;
 	}
-	i = hash_len = mgf1->get_hash_size(mgf1);
-
 	this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form);
-
 	used = malloc(N);
 	limit = N * ((1 << c_bits) / N);
 
@@ -328,43 +323,12 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
 			/* generate a random candidate index with a size of c_bits */		
 			do
 			{
-				/* use any leftover bits first */
-				index = num_left ? left << (c_bits - num_left) : 0;
-
-				/* get the rest of the bits needed from new octets */
-				num_needed = c_bits - num_left;
-
-				while (num_needed)
+				if (!bitspender->get_bits(bitspender, c_bits, &index))
 				{
-					if (i == hash_len)
-					{
-						/* get another block from MGF1 */
-						if (!mgf1->get_mask(mgf1, hash_len, octets))
-						{
-							mgf1->destroy(mgf1);
-							destroy(this);
-							free(used);
-							return NULL;
-						}
-						octet_count += hash_len;
-						i = 0;
-					}
-					left = octets[i++];
-
-					if (num_needed <= 8)
-					{
-						/* all bits needed to fill the index are in this octet */
-						index |= left >> (8 - num_needed);
-						num_left = 8 - num_needed;
-						num_needed = 0;
-						left &= 0xff >> (8 - num_left);
-					}
-					else
-					{
-						/* more than one octet will be needed */
-						index |= left << (num_needed - 8);
-						num_needed -= 8;
-					}
+					bitspender->destroy(bitspender);
+					destroy(this);
+					free(used);
+					return NULL;
 				}
 			}
 			while (index >= limit);
@@ -380,9 +344,7 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
 		}
 	}
 
-	DBG2(DBG_LIB, "MGF1 generates %u octets to derive %u indices",
-				   octet_count, this->num_indices);
-	mgf1->destroy(mgf1);
+	bitspender->destroy(bitspender);
 	free(used);
 
 	return &this->public;
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c
index 1abb7671c..57b3532ef 100644
--- a/src/libstrongswan/plugins/ntru/ntru_trits.c
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,9 +14,9 @@
  */
 
 #include "ntru_trits.h"
-#include "ntru_mgf1.h"
 #include "ntru_convert.h"
 
+#include <crypto/mgf1/mgf1_bitspender.h>
 #include <utils/debug.h>
 #include <utils/test.h>
 
@@ -70,17 +70,15 @@ METHOD(ntru_trits_t, destroy, void,
 ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
 {
 	private_ntru_trits_t *this;
-	uint8_t octets[HASH_SIZE_SHA512], buf[5], *trits;
-	size_t hash_len, octet_count = 0, trits_needed, i;
-	ntru_mgf1_t *mgf1;
+	uint8_t octet, buf[5], *trits;
+	size_t trits_needed;
+	mgf1_bitspender_t *bitspender;
 
-	DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len);
-	mgf1 = ntru_mgf1_create(alg, seed, TRUE);
-	if (!mgf1)
+	bitspender = mgf1_bitspender_create(alg, seed, TRUE);
+	if (!bitspender)
 	{
 	    return NULL;
 	}
-	i = hash_len = mgf1->get_hash_size(mgf1);
 
 	INIT(this,
 		.public = {
@@ -97,21 +95,15 @@ ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
 
 	while (trits_needed > 0)
 	{
-		if (i == hash_len)
+		if (!bitspender->get_byte(bitspender, &octet))
 		{
-			/* get another block from MGF1 */
-			if (!mgf1->get_mask(mgf1, hash_len, octets))
-			{
-				mgf1->destroy(mgf1);
-				destroy(this);
-				return NULL;
-			}
-			octet_count += hash_len;
-			i = 0;
+			bitspender->destroy(bitspender);
+			destroy(this);
+			return NULL;
 		}
-		if (octets[i] < 243)  /* 243 = 3^5 */ 
+		if (octet < 243)  /* 243 = 3^5 */
 		{		
-			ntru_octet_2_trits(octets[i], (trits_needed < 5) ? buf : trits);
+			ntru_octet_2_trits(octet, (trits_needed < 5) ? buf : trits);
 			if (trits_needed < 5)
 			{
 				memcpy(trits, buf, trits_needed);
@@ -120,11 +112,8 @@ ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
 			trits += 5;
 			trits_needed -= 5;
 		}
-		i++;
 	}
-	DBG2(DBG_LIB, "MGF1 generates %u octets to extract %u trits",
-				   octet_count, len);
-	mgf1->destroy(mgf1);
+	bitspender->destroy(bitspender);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index ac0db0150..a667ca47e 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 07b96b320..c2478a4ed 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -135,7 +135,7 @@ METHOD(crypter_t, get_block_size, size_t,
 METHOD(crypter_t, get_iv_size, size_t,
 	private_openssl_crypter_t *this)
 {
-	return this->cipher->block_size;
+	return this->cipher->iv_len;
 }
 
 METHOD(crypter_t, get_key_size, size_t,
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index ff3382473..2615d60a2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t {
 	/**
 	 * Diffie Hellman group number.
 	 */
-	u_int16_t group;
+	diffie_hellman_group_t group;
 
 	/**
 	 * Diffie Hellman object
@@ -61,36 +61,42 @@ struct private_openssl_diffie_hellman_t {
 	bool computed;
 };
 
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
 	private_openssl_diffie_hellman_t *this, chunk_t *value)
 {
 	*value = chunk_alloc(DH_size(this->dh));
 	memset(value->ptr, 0, value->len);
 	BN_bn2bin(this->dh->pub_key,
 			  value->ptr + value->len - BN_num_bytes(this->dh->pub_key));
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
 	private_openssl_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
-		return FAILED;
+		return FALSE;
 	}
 	/* shared secret should requires a len according the DH group */
 	*secret = chunk_alloc(DH_size(this->dh));
 	memset(secret->ptr, 0, secret->len);
 	memcpy(secret->ptr + secret->len - this->shared_secret.len,
 		   this->shared_secret.ptr, this->shared_secret.len);
-	return SUCCESS;
+	return TRUE;
 }
 
 
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
 	private_openssl_diffie_hellman_t *this, chunk_t value)
 {
 	int len;
 
+	if (!diffie_hellman_verify_value(this->group, value))
+	{
+		return FALSE;
+	}
+
 	BN_bin2bn(value.ptr, value.len, this->pub_key);
 	chunk_clear(&this->shared_secret);
 	this->shared_secret.ptr = malloc(DH_size(this->dh));
@@ -99,10 +105,11 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 	if (len < 0)
 	{
 		DBG1(DBG_LIB, "DH shared secret computation failed");
-		return;
+		return FALSE;
 	}
 	this->shared_secret.len = len;
 	this->computed = TRUE;
+	return TRUE;
 }
 
 METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index b487d59a5..550a5432f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t {
 	/**
 	 * Diffie Hellman group number.
 	 */
-	u_int16_t group;
+	diffie_hellman_group_t group;
 
 	/**
 	 * EC private (public) key
@@ -216,40 +216,47 @@ error:
 	return ret;
 }
 
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
 	private_openssl_ec_diffie_hellman_t *this, chunk_t value)
 {
+	if (!diffie_hellman_verify_value(this->group, value))
+	{
+		return FALSE;
+	}
+
 	if (!chunk2ecp(this->ec_group, value, this->pub_key))
 	{
 		DBG1(DBG_LIB, "ECDH public value is malformed");
-		return;
+		return FALSE;
 	}
 
 	chunk_clear(&this->shared_secret);
 
 	if (!compute_shared_key(this, &this->shared_secret)) {
 		DBG1(DBG_LIB, "ECDH shared secret computation failed");
-		return;
+		return FALSE;
 	}
 
 	this->computed = TRUE;
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
 	private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
 {
 	ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
 	private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
-		return FAILED;
+		return FALSE;
 	}
 	*secret = chunk_clone(this->shared_secret);
-	return SUCCESS;
+	return TRUE;
 }
 
 METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 4bd958784..44603afb1 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index f9c5b9b52..4c982fdf5 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 62780c384..f0e508abf 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -365,6 +365,29 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp)
 }
 
 /**
+ * Check if a blob looks like an ASN1 SEQUENCE or SET with BER indefinite length
+ */
+static bool is_ber_indefinite_length(chunk_t blob)
+{
+	if (blob.len >= 4)
+	{
+		switch (blob.ptr[0])
+		{
+			case ASN1_SEQUENCE:
+			case ASN1_SET:
+				/* BER indefinite length uses 0x80, and is terminated with
+				 * end-of-content using 0x00,0x00 */
+				return blob.ptr[1] == 0x80 &&
+					   blob.ptr[blob.len - 2] == 0 &&
+					   blob.ptr[blob.len - 1] == 0;
+			default:
+				break;
+		}
+	}
+	return FALSE;
+}
+
+/**
  * load the credential from a blob
  */
 static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
@@ -374,7 +397,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
 	bool pgp = FALSE;
 
 	blob = chunk_clone(blob);
-	if (!is_asn1(blob))
+	if (!is_ber_indefinite_length(blob) && !is_asn1(blob))
 	{
 		if (pem_to_bin(&blob, &pgp) != SUCCESS)
 		{
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index df4b77cc3..35ea3e885 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -53,6 +53,11 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 					break;
 				}
 			}
+			if (cred_encoding_args(args, CRED_PART_BLISS_PUB_ASN1_DER,
+								   &asn1, CRED_PART_END))
+			{
+				break;
+			}
 			return FALSE;
 		case PRIVKEY_PEM:
 			label ="RSA PRIVATE KEY";
@@ -86,6 +91,12 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
 				label ="EC PRIVATE KEY";
 				break;
 			}
+			if (cred_encoding_args(args, CRED_PART_BLISS_PRIV_ASN1_DER,
+								   &asn1, CRED_PART_END))
+			{
+				label ="BLISS PRIVATE KEY";
+				break;
+			}
 			return FALSE;
 		case CERT_PEM:
 			if (cred_encoding_args(args, CRED_PART_X509_ASN1_DER,
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index e7edd7b89..d5bcbb617 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -60,6 +60,9 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(PRIVKEY, KEY_DSA),
 				PLUGIN_DEPENDS(PRIVKEY, KEY_DSA),
 				PLUGIN_SDEPEND(HASHER, HASH_MD5),
+		PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS),
+				PLUGIN_DEPENDS(PRIVKEY, KEY_BLISS),
 
 		/* public key PEM decoding */
 		PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
@@ -74,6 +77,8 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_DSA),
 				PLUGIN_DEPENDS(PUBKEY, KEY_DSA),
+		PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
 
 		/* certificate PEM decoding */
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 8e351c273..4d4215bfe 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 445bc2d24..2a708364a 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index c6661fcda..767b3acf2 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -63,11 +63,18 @@ static public_key_t *parse_public_key(chunk_t blob)
 				}
 				else if (oid == OID_EC_PUBLICKEY)
 				{
-					/* we need the whole subjectPublicKeyInfo for EC public keys */
+					/* Need the whole subjectPublicKeyInfo for EC public keys */
 					key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
 								KEY_ECDSA, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
 					goto end;
 				}
+				else if (oid == OID_BLISS_PUBLICKEY)
+				{
+					/* Need the whole subjectPublicKeyInfo for BLISS public keys */
+					key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+								KEY_BLISS, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+					goto end;
+				}
 				else
 				{
 					/* key type not supported */
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 34e8d0caa..de033a3fb 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index 36cc284bf..c0033bd8e 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -47,7 +47,7 @@ struct private_pkcs11_dh_t {
 	/**
 	 * Diffie Hellman group number.
 	 */
-	u_int16_t group;
+	diffie_hellman_group_t group;
 
 	/**
 	 * Handle for own private value
@@ -81,7 +81,7 @@ struct private_pkcs11_dh_t {
  *
  * If this succeeds the shared secret is stored in this->secret.
  */
-static void derive_secret(private_pkcs11_dh_t *this, chunk_t other)
+static bool derive_secret(private_pkcs11_dh_t *this, chunk_t other)
 {
 	CK_OBJECT_CLASS klass = CKO_SECRET_KEY;
 	CK_KEY_TYPE type = CKK_GENERIC_SECRET;
@@ -102,19 +102,25 @@ static void derive_secret(private_pkcs11_dh_t *this, chunk_t other)
 	if (rv != CKR_OK)
 	{
 		DBG1(DBG_CFG, "C_DeriveKey() error: %N", ck_rv_names, rv);
-		return;
+		return FALSE;
 	}
 	if (!this->lib->get_ck_attribute(this->lib, this->session, secret,
 									 CKA_VALUE, &this->secret))
 	{
 		chunk_free(&this->secret);
-		return;
+		return FALSE;
 	}
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
 	private_pkcs11_dh_t *this, chunk_t value)
 {
+	if (!diffie_hellman_verify_value(this->group, value))
+	{
+		return FALSE;
+	}
+
 	switch (this->group)
 	{
 		case ECP_192_BIT:
@@ -137,7 +143,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 			if (!lib->settings->get_bool(lib->settings,
 									"%s.ecp_x_coordinate_only", TRUE, lib->ns))
 			{	/* we only get the x coordinate back */
-				return;
+				return FALSE;
 			}
 			value = chunk_from_thing(params);
 			break;
@@ -145,24 +151,25 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 		default:
 			break;
 	}
-	derive_secret(this, value);
+	return derive_secret(this, value);
 }
 
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
 	private_pkcs11_dh_t *this, chunk_t *value)
 {
 	*value = chunk_clone(this->pub_key);
+	return TRUE;
 }
 
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
 	private_pkcs11_dh_t *this, chunk_t *secret)
 {
 	if (!this->secret.ptr)
 	{
-		return FAILED;
+		return FALSE;
 	}
 	*secret = chunk_clone(this->secret);
-	return SUCCESS;
+	return TRUE;
 }
 
 METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
@@ -443,4 +450,3 @@ pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group,
 	}
 	return NULL;
 }
-
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 7661473b1..dc8a1f17a 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2010 Martin Willi
@@ -21,6 +21,7 @@
 #include <dlfcn.h>
 
 #include <library.h>
+#include <asn1/asn1.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 #include <collections/linked_list.h>
@@ -641,10 +642,37 @@ static void free_attrs(object_enumerator_t *this)
 }
 
 /**
+ * CKA_EC_POINT is encodeed as ASN.1 octet string, we can't handle that and
+ * some tokens actually return them even unwrapped.
+ *
+ * Because ASN1_OCTET_STRING is 0x04 and uncompressed EC_POINTs also begin with
+ * 0x04 (compressed ones with 0x02 or 0x03) there will be an attempt to parse
+ * unwrapped uncompressed EC_POINTs.  This will fail in most cases as the length
+ * will not be correct, however, there is a small chance that the key's first
+ * byte denotes the correct length.  Checking the first byte of the key should
+ * further reduce the risk of false positives, though.
+ *
+ * The original memory is freed if the value is unwrapped.
+ */
+static void unwrap_ec_point(chunk_t *data)
+{
+	chunk_t wrapped, unwrapped;
+
+	wrapped = unwrapped = *data;
+	if (asn1_unwrap(&unwrapped, &unwrapped) == ASN1_OCTET_STRING &&
+		unwrapped.len && unwrapped.ptr[0] >= 0x02 && unwrapped.ptr[0] <= 0x04)
+	{
+		*data = chunk_clone(unwrapped);
+		free(wrapped.ptr);
+	}
+}
+
+/**
  * Get attributes for a given object during enumeration
  */
 static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object)
 {
+	chunk_t data;
 	CK_RV rv;
 	int i;
 
@@ -677,6 +705,16 @@ static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object)
 		DBG1(DBG_CFG, "C_GetAttributeValue() error: %N", ck_rv_names, rv);
 		return FALSE;
 	}
+	for (i = 0; i < this->count; i++)
+	{
+		if (this->attr[i].type == CKA_EC_POINT)
+		{
+			data = chunk_create(this->attr[i].pValue, this->attr[i].ulValueLen);
+			unwrap_ec_point(&data);
+			this->attr[i].pValue = data.ptr;
+			this->attr[i].ulValueLen = data.len;
+		}
+	}
 	return TRUE;
 }
 
@@ -887,6 +925,10 @@ METHOD(pkcs11_library_t, get_ck_attribute, bool,
 		chunk_free(data);
 		return FALSE;
 	}
+	if (attr.type == CKA_EC_POINT)
+	{
+		unwrap_ec_point(data);
+	}
 	return TRUE;
 }
 
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index bb9cc7a21..bfc545972 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2010 Martin Willi
@@ -23,6 +23,7 @@
 #include "pkcs11_public_key.h"
 
 #include <utils/debug.h>
+#include <asn1/asn1.h>
 
 typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t;
 
@@ -288,7 +289,23 @@ METHOD(private_key_t, sign, bool,
 		free(buf);
 		return FALSE;
 	}
-	*signature = chunk_create(buf, len);
+	switch (scheme)
+	{
+		case SIGN_ECDSA_WITH_SHA1_DER:
+		case SIGN_ECDSA_WITH_SHA256_DER:
+		case SIGN_ECDSA_WITH_SHA384_DER:
+		case SIGN_ECDSA_WITH_SHA512_DER:
+			/* return an ASN.1 encoded sequence of integers r and s */
+			len /= 2;
+			*signature = asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_integer("c", chunk_create(buf, len)),
+								asn1_integer("c", chunk_create(buf+len, len)));
+			free(buf);
+			break;
+		default:
+			*signature = chunk_create(buf, len);
+			break;
+	}
 	return TRUE;
 }
 
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
index 0302c0edd..6d5211657 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2010 Martin Willi
@@ -135,6 +135,7 @@ static const asn1Object_t pkinfoObjects[] = {
 /**
  * Extract the DER encoded Parameters and ECPoint from the given DER encoded
  * subjectPublicKeyInfo.
+ * Memory for ecpoint is allocated.
  */
 static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams,
 								   chunk_t *ecpoint, size_t *keylen)
@@ -173,7 +174,9 @@ static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams,
 				{	/* skip initial bit string octet defining 0 unused bits */
 					object = chunk_skip(object, 1);
 				}
-				*ecpoint = object;
+				/* the correct way to encode an EC_POINT in PKCS#11 is as
+				 * ASN.1 octet string */
+				*ecpoint = asn1_wrap(ASN1_OCTET_STRING, "c", object);
 				break;
 			}
 		}
@@ -205,7 +208,8 @@ METHOD(public_key_t, verify, bool,
 	CK_SESSION_HANDLE session;
 	CK_RV rv;
 	hash_algorithm_t hash_alg;
-	chunk_t hash = chunk_empty;
+	chunk_t hash = chunk_empty, parse, r, s;
+	size_t len;
 
 	mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type, this->k,
 												&hash_alg);
@@ -215,9 +219,37 @@ METHOD(public_key_t, verify, bool,
 			 signature_scheme_names, scheme);
 		return FALSE;
 	}
-	if (sig.len && sig.ptr[0] == 0)
-	{	/* trim leading zero byte in sig */
-		sig = chunk_skip(sig, 1);
+	switch (scheme)
+	{
+		case SIGN_ECDSA_WITH_SHA1_DER:
+		case SIGN_ECDSA_WITH_SHA256_DER:
+		case SIGN_ECDSA_WITH_SHA384_DER:
+		case SIGN_ECDSA_WITH_SHA512_DER:
+			/* PKCS#11 expects the ECDSA signatures as simple concatenation of
+			 * r and s, so unwrap the ASN.1 encoded sequence */
+			parse = sig;
+			if (asn1_unwrap(&parse, &parse) != ASN1_SEQUENCE ||
+				asn1_unwrap(&parse, &r) != ASN1_INTEGER ||
+				asn1_unwrap(&parse, &s) != ASN1_INTEGER)
+			{
+				return FALSE;
+			}
+			r = chunk_skip_zero(r);
+			s = chunk_skip_zero(s);
+			len = (get_keysize(this) + 7) / 8;
+			if (r.len > len || s.len > len)
+			{
+				return FALSE;
+			}
+			/* concatenate r and s (forced to the defined length) */
+			sig = chunk_alloca(2*len);
+			memset(sig.ptr, 0, sig.len);
+			memcpy(sig.ptr + (len - r.len), r.ptr, r.len);
+			memcpy(sig.ptr + len + (len - s.len), s.ptr, s.len);
+			break;
+		default:
+			sig = chunk_skip_zero(sig);
+			break;
 	}
 	rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
 									 &session);
@@ -776,11 +808,11 @@ pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
 		if (parse_ecdsa_public_key(blob, &ecparams, &ecpoint, &keylen))
 		{
 			this = find_ecdsa_key(ecparams, ecpoint, keylen);
-			if (this)
+			if (!this)
 			{
-				return &this->public;
+				this = create_ecdsa_key(ecparams, ecpoint, keylen);
 			}
-			this = create_ecdsa_key(ecparams, ecpoint, keylen);
+			chunk_free(&ecpoint);
 			if (this)
 			{
 				return &this->public;
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index d90cd3532..3fa0a3890 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index f6534f087..3266e5d5f 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 0756db856..2130c9c93 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 1fec1b3ea..f7ac347d2 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -380,7 +380,15 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name,
 			return NULL;
 		}
 	}
-	handle = dlopen(file, RTLD_LAZY);
+	handle = dlopen(file, RTLD_LAZY
+#ifdef RTLD_NODELETE
+	/* if supported, do not unload library when unloading a plugin. It really
+	 * doesn't matter in productive systems, but causes many (dependency)
+	 * library reloads during unit tests. Some libraries can't handle that,
+	 * GnuTLS leaks file descriptors in its library load/unload functions. */
+					| RTLD_NODELETE
+#endif
+					);
 	if (handle == NULL)
 	{
 		DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
@@ -1283,9 +1291,9 @@ METHOD(plugin_loader_t, status, void,
 
 		if (this->stats.failed)
 		{
-			dbg(DBG_LIB, level, "unable to load %d plugin feature%s (%d due to "
-				"unmet dependencies)", this->stats.failed,
-				this->stats.failed == 1 ? "" : "s", this->stats.depends);
+			DBG2(DBG_LIB, "unable to load %d plugin feature%s (%d due to unmet "
+				 "dependencies)", this->stats.failed,
+				 this->stats.failed == 1 ? "" : "s", this->stats.depends);
 		}
 	}
 }
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index fcdbe9450..a9f3dd14c 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index fb6c9ae43..11a13463b 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index d84b1ba17..b81acef55 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 967e8625d..028464bf3 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 127482635..342c544d9 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 70a98b006..18771e4f9 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index f7d11beb1..6aaa06b20 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index ee96f08c2..02290b4a2 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index b9f949bcf..3e234f1ca 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index b66302e1a..a8d5a1020 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 8d7c667d8..8980ec46c 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -243,6 +243,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -303,10 +304,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -380,6 +383,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index 02f4ccd8a..c84717bdc 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in
index fb87917a2..f8db1ffac 100644
--- a/src/libstrongswan/plugins/winhttp/Makefile.in
+++ b/src/libstrongswan/plugins/winhttp/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 23a6b3ba3..b31bfbed1 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index ed58377a6..bfc200421 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
  * Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2002-2009 Andreas Steffen
+ * Copyright (C) 2002-2014 Andreas Steffen
  * Copyright (C) 2009 Martin Willi
  *
  * HSR Hochschule fuer Technik Rapperswil
@@ -557,7 +557,7 @@ static bool parse_certificate(private_x509_ac_t *this)
 				}
 				break;
 			case AC_OBJ_SIGNATURE:
-				this->signature = object;
+				this->signature = chunk_skip(object, 1);
 				break;
 			default:
 				break;
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index bdc8234c9..96280a033 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1465,7 +1465,7 @@ static bool parse_certificate(private_x509_cert_t *this)
 				}
 				break;
 			case X509_OBJ_SIGNATURE:
-				this->signature = object;
+				this->signature = chunk_skip(object, 1);
 				break;
 			default:
 				break;
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index d6057c30f..4d7e7bd10 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -347,7 +347,7 @@ static bool parse(private_x509_crl_t *this)
 				break;
 			}
 			case CRL_OBJ_SIGNATURE:
-				this->signature = object;
+				this->signature = chunk_skip(object, 1);
 				break;
 			default:
 				break;
@@ -451,6 +451,7 @@ METHOD(certificate_t, issued_by, bool,
 	signature_scheme_t scheme;
 	bool valid;
 	x509_t *x509 = (x509_t*)issuer;
+	chunk_t keyid = chunk_empty;
 
 	/* check if issuer is an X.509 CA certificate */
 	if (issuer->get_type(issuer) != CERT_X509)
@@ -462,21 +463,16 @@ METHOD(certificate_t, issued_by, bool,
 		return FALSE;
 	}
 
-	/* get the public key of the issuer */
-	key = issuer->get_public_key(issuer);
-
 	/* compare keyIdentifiers if available, otherwise use DNs */
-	if (this->authKeyIdentifier.ptr && key)
+	if (this->authKeyIdentifier.ptr)
 	{
-		chunk_t fingerprint;
-
-		if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
-			!chunk_equals(fingerprint, this->authKeyIdentifier))
+		keyid = x509->get_subjectKeyIdentifier(x509);
+		if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
 		{
 			return FALSE;
 		}
 	}
-	else
+	if (!keyid.len)
 	{
 		if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
 		{
@@ -484,10 +480,13 @@ METHOD(certificate_t, issued_by, bool,
 		}
 	}
 
-	/* determine signature scheme */
 	scheme = signature_scheme_from_oid(this->algorithm);
-
-	if (scheme == SIGN_UNKNOWN || key == NULL)
+	if (scheme == SIGN_UNKNOWN)
+	{
+		return FALSE;
+	}
+	key = issuer->get_public_key(issuer);
+	if (!key)
 	{
 		return FALSE;
 	}
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index ff0f0231f..eb5b01986 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2007 Andreas Steffen
+ * Copyright (C) 2007-2014 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
  *
@@ -265,6 +265,10 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
 			oid = OID_ECDSA_WITH_SHA1;
 			scheme = SIGN_ECDSA_WITH_SHA1_DER;
 			break;
+		case KEY_BLISS:
+			oid = OID_BLISS_WITH_SHA512;
+			scheme = SIGN_BLISS_WITH_SHA512;
+			break;
 		default:
 			DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not "
 				 "supported", key_type_names, this->key->get_type(this->key));
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index ad04c7dea..60133fc7f 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -1,6 +1,6 @@
 /**
  * Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2007 Andreas Steffen
+ * Copyright (C) 2007-2014 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
  *
@@ -537,7 +537,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 												parser->get_level(parser)+1, NULL);
 				break;
 			case BASIC_RESPONSE_SIGNATURE:
-				this->signature = object;
+				this->signature = chunk_skip(object, 1);
 				break;
 			case BASIC_RESPONSE_CERTIFICATE:
 			{
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index 024b4dba5..20561f7e2 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -435,7 +435,7 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this)
 				this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
 				break;
 			case PKCS10_SIGNATURE:
-				this->signature = object;
+				this->signature = chunk_skip(object, 1);
 				break;
 			default:
 				break;
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index ffcee547c..6c9901e6c 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index 802c8a39f..d852a2932 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -219,6 +219,10 @@ METHOD(mac_t, set_key, bool,
 {
 	chunk_t iv, k1, lengthened;
 
+	memset(this->e, 0, this->b);
+	this->remaining_bytes = 0;
+	this->zero = TRUE;
+
 	/* we support variable keys from RFC4434 */
 	if (key.len == this->b)
 	{
diff --git a/src/libstrongswan/processing/processor.h b/src/libstrongswan/processing/processor.h
index f96530e54..ee08870fb 100644
--- a/src/libstrongswan/processing/processor.h
+++ b/src/libstrongswan/processing/processor.h
@@ -23,6 +23,8 @@
 #ifndef PROCESSOR_H_
 #define PROCESSOR_H_
 
+#include <utils/utils.h>
+
 typedef struct processor_t processor_t;
 
 #include <stdlib.h>
diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
index 3f1598fc4..d90852561 100644
--- a/src/libstrongswan/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -300,16 +300,26 @@ METHOD(scheduler_t, schedule_job_ms, void,
 	schedule_job_tv(this, job, tv);
 }
 
-METHOD(scheduler_t, destroy, void,
+METHOD(scheduler_t, flush, void,
 	private_scheduler_t *this)
 {
 	event_t *event;
-	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
+
+	this->mutex->lock(this->mutex);
 	while ((event = remove_event(this)) != NULL)
 	{
 		event_destroy(event);
 	}
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(scheduler_t, destroy, void,
+	private_scheduler_t *this)
+{
+	flush(this);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
 	free(this->heap);
 	free(this);
 }
@@ -328,6 +338,7 @@ scheduler_t * scheduler_create()
 			.schedule_job = _schedule_job,
 			.schedule_job_ms = _schedule_job_ms,
 			.schedule_job_tv = _schedule_job_tv,
+			.flush = _flush,
 			.destroy = _destroy,
 		},
 		.heap_size = HEAP_SIZE_DEFAULT,
diff --git a/src/libstrongswan/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h
index abbf74e2c..7f91fcc59 100644
--- a/src/libstrongswan/processing/scheduler.h
+++ b/src/libstrongswan/processing/scheduler.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2015 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -115,6 +115,11 @@ struct scheduler_t {
 	u_int (*get_job_load) (scheduler_t *this);
 
 	/**
+	 * Remove all scheduled jobs.
+	 */
+	void (*flush)(scheduler_t *this);
+
+	/**
 	 * Destroys a scheduler object.
 	 */
 	void (*destroy) (scheduler_t *this);
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
index d4de2a907..5b94208bf 100644
--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
@@ -24,9 +24,6 @@
 
 #include <unistd.h>
 #include <errno.h>
-#ifndef WIN32
-#include <sys/select.h>
-#endif
 #include <fcntl.h>
 
 typedef struct private_watcher_t private_watcher_t;
@@ -121,11 +118,7 @@ static void update(private_watcher_t *this)
 	this->pending = TRUE;
 	if (this->notify[1] != -1)
 	{
-#ifdef WIN32
-		if (send(this->notify[1], buf, sizeof(buf), 0) == -1)
-#else
 		if (write(this->notify[1], buf, sizeof(buf)) == -1)
-#endif
 		{
 			DBG1(DBG_JOB, "notifying watcher failed: %s", strerror(errno));
 		}
@@ -245,23 +238,57 @@ static void activate_all(private_watcher_t *this)
 }
 
 /**
+ * Find flagged revents in a pollfd set by fd
+ */
+static int find_revents(struct pollfd *pfd, int count, int fd)
+{
+	int i;
+
+	for (i = 0; i < count; i++)
+	{
+		if (pfd[i].fd == fd)
+		{
+			return pfd[i].revents;
+		}
+	}
+	return 0;
+}
+
+/**
+ * Check if entry is waiting for a specific event, and if it got signaled
+ */
+static bool entry_ready(entry_t *entry, watcher_event_t event, int revents)
+{
+	if (entry->events & event)
+	{
+		switch (event)
+		{
+			case WATCHER_READ:
+				return (revents & (POLLIN | POLLHUP | POLLNVAL)) != 0;
+			case WATCHER_WRITE:
+				return (revents & (POLLOUT | POLLHUP | POLLNVAL)) != 0;
+			case WATCHER_EXCEPT:
+				return (revents & (POLLERR | POLLHUP | POLLNVAL)) != 0;
+		}
+	}
+	return FALSE;
+}
+
+/**
  * Dispatching function
  */
 static job_requeue_t watch(private_watcher_t *this)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
-	fd_set rd, wr, ex;
-	int maxfd = 0, res;
+	struct pollfd *pfd;
+	int count = 0, res;
 	bool rebuild = FALSE;
 
-	FD_ZERO(&rd);
-	FD_ZERO(&wr);
-	FD_ZERO(&ex);
-
 	this->mutex->lock(this->mutex);
 
-	if (this->fds->get_count(this->fds) == 0)
+	count = this->fds->get_count(this->fds);
+	if (count == 0)
 	{
 		this->state = WATCHER_STOPPED;
 		this->mutex->unlock(this->mutex);
@@ -272,33 +299,34 @@ static job_requeue_t watch(private_watcher_t *this)
 		this->state = WATCHER_RUNNING;
 	}
 
-	if (this->notify[0] != -1)
-	{
-		FD_SET(this->notify[0], &rd);
-		maxfd = this->notify[0];
-	}
+	pfd = alloca(sizeof(*pfd) * (count + 1));
+	pfd[0].fd = this->notify[0];
+	pfd[0].events = POLLIN;
+	count = 1;
 
 	enumerator = this->fds->create_enumerator(this->fds);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
 		if (!entry->in_callback)
 		{
+			pfd[count].fd = entry->fd;
+			pfd[count].events = 0;
 			if (entry->events & WATCHER_READ)
 			{
 				DBG3(DBG_JOB, "  watching %d for reading", entry->fd);
-				FD_SET(entry->fd, &rd);
+				pfd[count].events |= POLLIN;
 			}
 			if (entry->events & WATCHER_WRITE)
 			{
 				DBG3(DBG_JOB, "  watching %d for writing", entry->fd);
-				FD_SET(entry->fd, &wr);
+				pfd[count].events |= POLLOUT;
 			}
 			if (entry->events & WATCHER_EXCEPT)
 			{
 				DBG3(DBG_JOB, "  watching %d for exceptions", entry->fd);
-				FD_SET(entry->fd, &ex);
+				pfd[count].events |= POLLERR;
 			}
-			maxfd = max(maxfd, entry->fd);
+			count++;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -306,30 +334,27 @@ static job_requeue_t watch(private_watcher_t *this)
 
 	while (!rebuild)
 	{
+		int revents;
 		char buf[1];
 		bool old;
 		ssize_t len;
 		job_t *job;
 
-		DBG2(DBG_JOB, "watcher going to select()");
+		DBG2(DBG_JOB, "watcher going to poll() %d fds", count);
 		thread_cleanup_push((void*)activate_all, this);
 		old = thread_cancelability(TRUE);
 
-		res = select(maxfd + 1, &rd, &wr, &ex, NULL);
+		res = poll(pfd, count, -1);
 		thread_cancelability(old);
 		thread_cleanup_pop(FALSE);
 
 		if (res > 0)
 		{
-			if (this->notify[0] != -1 && FD_ISSET(this->notify[0], &rd))
+			if (pfd[0].revents & POLLIN)
 			{
 				while (TRUE)
 				{
-#ifdef WIN32
-					len = recv(this->notify[0], buf, sizeof(buf), 0);
-#else
 					len = read(this->notify[0], buf, sizeof(buf));
-#endif
 					if (len == -1)
 					{
 						if (errno != EAGAIN && errno != EWOULDBLOCK)
@@ -354,21 +379,25 @@ static job_requeue_t watch(private_watcher_t *this)
 					rebuild = TRUE;
 					break;
 				}
-				if (FD_ISSET(entry->fd, &rd) && (entry->events & WATCHER_READ))
-				{
-					DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd);
-					notify(this, entry, WATCHER_READ);
-				}
-				if (FD_ISSET(entry->fd, &wr) && (entry->events & WATCHER_WRITE))
-				{
-					DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd);
-					notify(this, entry, WATCHER_WRITE);
-				}
-				if (FD_ISSET(entry->fd, &ex) && (entry->events & WATCHER_EXCEPT))
+				revents = find_revents(pfd, count, entry->fd);
+				if (entry_ready(entry, WATCHER_EXCEPT, revents))
 				{
 					DBG2(DBG_JOB, "watched FD %d has exception", entry->fd);
 					notify(this, entry, WATCHER_EXCEPT);
 				}
+				else
+				{
+					if (entry_ready(entry, WATCHER_READ, revents))
+					{
+						DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd);
+						notify(this, entry, WATCHER_READ);
+					}
+					if (entry_ready(entry, WATCHER_WRITE, revents))
+					{
+						DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd);
+						notify(this, entry, WATCHER_WRITE);
+					}
+				}
 			}
 			enumerator->destroy(enumerator);
 			this->mutex->unlock(this->mutex);
@@ -388,7 +417,7 @@ static job_requeue_t watch(private_watcher_t *this)
 		{
 			if (!this->pending && errno != EINTR)
 			{	/* complain only if no pending updates */
-				DBG1(DBG_JOB, "watcher select() error: %s", strerror(errno));
+				DBG1(DBG_JOB, "watcher poll() error: %s", strerror(errno));
 			}
 			return JOB_REQUEUE_DIRECT;
 		}
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index 94b77467a..3b7f8c5a0 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -449,41 +449,9 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
 }
 
 METHOD(traffic_selector_t, equals, bool,
-	private_traffic_selector_t *this, traffic_selector_t *other_public)
+	private_traffic_selector_t *this, traffic_selector_t *other)
 {
-	private_traffic_selector_t *other;
-
-	other = (private_traffic_selector_t*)other_public;
-	if (this->type != other->type)
-	{
-		return FALSE;
-	}
-	if (!(this->from_port == other->from_port &&
-		  this->to_port == other->to_port &&
-		  this->protocol == other->protocol))
-	{
-		return FALSE;
-	}
-	switch (this->type)
-	{
-		case TS_IPV4_ADDR_RANGE:
-			if (memeq(this->from4, other->from4, sizeof(this->from4)) &&
-				memeq(this->to4, other->to4, sizeof(this->to4)))
-			{
-				return TRUE;
-			}
-			break;
-		case TS_IPV6_ADDR_RANGE:
-			if (memeq(this->from6, other->from6, sizeof(this->from6)) &&
-				memeq(this->to6, other->to6, sizeof(this->to6)))
-			{
-				return TRUE;
-			}
-			break;
-		default:
-			break;
-	}
-	return FALSE;
+	return traffic_selector_cmp(&this->public, other, NULL) == 0;
 }
 
 METHOD(traffic_selector_t, get_from_address, chunk_t,
@@ -717,12 +685,96 @@ METHOD(traffic_selector_t, clone_, traffic_selector_t*,
 	}
 }
 
+METHOD(traffic_selector_t, hash, u_int,
+	private_traffic_selector_t *this, u_int hash)
+{
+	return chunk_hash_inc(get_from_address(this),
+			chunk_hash_inc(get_to_address(this),
+			 chunk_hash_inc(chunk_from_thing(this->from_port),
+			  chunk_hash_inc(chunk_from_thing(this->to_port),
+			   chunk_hash_inc(chunk_from_thing(this->protocol),
+				hash)))));
+}
+
 METHOD(traffic_selector_t, destroy, void,
 	private_traffic_selector_t *this)
 {
 	free(this);
 }
 
+/**
+ * Compare two integers
+ */
+static int compare_int(int a, int b)
+{
+	return a - b;
+}
+
+/*
+ * See header
+ */
+int traffic_selector_cmp(traffic_selector_t *a_pub, traffic_selector_t *b_pub,
+						 void *opts)
+{
+	private_traffic_selector_t *a, *b;
+	int res;
+
+	a = (private_traffic_selector_t*)a_pub;
+	b = (private_traffic_selector_t*)b_pub;
+
+	/* IPv4 before IPv6 */
+	res = compare_int(a->type, b->type);
+	if (res)
+	{
+		return res;
+	}
+	switch (a->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			/* lower starting subnets first */
+			res = memcmp(a->from4, b->from4, sizeof(a->from4));
+			if (res)
+			{
+				return res;
+			}
+			/* larger subnets first */
+			res = memcmp(b->to4, a->to4, sizeof(a->to4));
+			if (res)
+			{
+				return res;
+			}
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			res = memcmp(a->from6, b->from6, sizeof(a->from6));
+			if (res)
+			{
+				return res;
+			}
+			res = memcmp(b->to6, a->to6, sizeof(a->to6));
+			if (res)
+			{
+				return res;
+			}
+			break;
+		default:
+			return 1;
+	}
+	/* lower protocols first */
+	res = compare_int(a->protocol, b->protocol);
+	if (res)
+	{
+		return res;
+	}
+	/* lower starting ports first */
+	res = compare_int(a->from_port, b->from_port);
+	if (res)
+	{
+		return res;
+	}
+	/* larger port ranges first */
+	return compare_int(b->to_port, a->to_port);
+}
+
 /*
  * see header
  */
@@ -933,6 +985,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 			.set_address = _set_address,
 			.to_subnet = _to_subnet,
 			.clone = _clone_,
+			.hash = _hash,
 			.destroy = _destroy,
 		},
 		.from_port = from_port,
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index ab6813acc..cf9a2861b 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -221,6 +221,14 @@ struct traffic_selector_t {
 	bool (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
 
 	/**
+	 * Create a hash value for the traffic selector.
+	 *
+	 * @param inc		optional value for incremental hashing
+	 * @return			calculated hash value for the traffic selector
+	 */
+	u_int (*hash)(traffic_selector_t *this, u_int inc);
+
+	/**
 	 * Destroys the ts object
 	 */
 	void (*destroy) (traffic_selector_t *this);
@@ -249,6 +257,17 @@ static inline u_int8_t traffic_selector_icmp_code(u_int16_t port)
 }
 
 /**
+ * Compare two traffic selectors, usable as sort function
+ *
+ * @param a				first selector to compare
+ * @param b				second selector to compare
+ * @param opts			optional sort options, currently unused
+ * @return				> 0 if a > b, 0 if a == b, < 0 if a < b
+ */
+int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
+						 void *opts);
+
+/**
  * Create a new traffic selector using human readable params.
  *
  * If protocol is ICMP or ICMPv6 the ports are interpreted as follows:  If they
diff --git a/src/libstrongswan/settings/settings_lexer.c b/src/libstrongswan/settings/settings_lexer.c
index 76433012a..0d71a1d01 100644
--- a/src/libstrongswan/settings/settings_lexer.c
+++ b/src/libstrongswan/settings/settings_lexer.c
@@ -456,8 +456,8 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
 	yyg->yy_c_buf_p = yy_cp;
 
 /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */
-#define YY_NUM_RULES 25
-#define YY_END_OF_BUFFER 26
+#define YY_NUM_RULES 26
+#define YY_END_OF_BUFFER 27
 /* This struct is not used in this scanner,
    but its presence is necessary. */
 struct yy_trans_info
@@ -465,31 +465,32 @@ struct yy_trans_info
 	flex_int32_t yy_verify;
 	flex_int32_t yy_nxt;
 	};
-static yyconst flex_int16_t yy_accept[50] =
+static yyconst flex_int16_t yy_accept[52] =
     {   0,
-        0,    0,    0,    0,    0,    0,   26,    9,    2,    3,
+        0,    0,    0,    0,    0,    0,   27,    9,    2,    3,
         8,    1,    6,    9,    4,    5,   14,   10,   11,   12,
-       24,   16,   15,   17,    9,    2,    1,    1,    3,    9,
-       14,   13,   24,   23,   21,   22,   18,   19,   20,    1,
-        9,    9,    9,    9,    9,    0,    7,    7,    0
+       25,   16,   15,   17,    9,    2,    1,    1,    3,    9,
+       14,   13,   25,   24,   23,   24,   21,   22,   18,   19,
+       20,    1,    9,    9,    9,    9,    9,    0,    7,    7,
+        0
     } ;
 
 static yyconst flex_int32_t yy_ec[256] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    4,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    5,    1,    6,    7,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    4,    1,    5,    6,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        8,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        7,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    8,    1,    1,    1,    1,    1,    9,   10,   11,
+        1,    9,    1,    1,    1,    1,    1,   10,   11,   12,
 
-       12,   13,    1,    1,   14,    1,    1,   15,    1,   16,
-        1,    1,    1,   17,    1,   18,   19,    1,    1,    1,
-        1,    1,   20,    1,   21,    1,    1,    1,    1,    1,
+       13,   14,    1,    1,   15,    1,    1,   16,    1,   17,
+        1,    1,    1,   18,    1,   19,   20,    1,    1,    1,
+        1,    1,   21,    1,   22,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
@@ -506,88 +507,92 @@ static yyconst flex_int32_t yy_ec[256] =
         1,    1,    1,    1,    1
     } ;
 
-static yyconst flex_int32_t yy_meta[22] =
+static yyconst flex_int32_t yy_meta[23] =
     {   0,
-        1,    2,    3,    4,    5,    4,    6,    7,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    8,
-        4
+        1,    2,    3,    1,    4,    5,    4,    6,    7,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        8,    4
     } ;
 
-static yyconst flex_int16_t yy_base[60] =
+static yyconst flex_int16_t yy_base[62] =
     {   0,
-        0,    0,   20,   40,   24,   28,   63,    0,   33,  145,
-      145,   57,  145,   43,  145,  145,    0,  145,  145,    0,
-        0,  145,  145,   53,    0,   45,    0,   55,  145,   47,
-        0,  145,    0,  145,  145,  145,  145,  145,  145,    0,
-       41,   35,   23,   18,   36,   48,  145,   51,  145,   71,
-       79,   87,   94,  102,  107,  112,  120,  128,  136
+        0,    0,   21,   42,   26,   28,   63,    0,   31,  155,
+      155,   59,  155,   44,  155,  155,    0,  155,  155,    0,
+        0,  155,  155,   62,    0,   48,    0,   57,  155,   47,
+        0,  155,    0,  155,  155,   49,  155,  155,  155,  155,
+      155,    0,   30,   21,   28,   12,   37,   52,  155,   54,
+      155,   81,   89,   97,  104,  112,  117,  122,  130,  138,
+      146
     } ;
 
-static yyconst flex_int16_t yy_def[60] =
+static yyconst flex_int16_t yy_def[62] =
     {   0,
-       49,    1,   50,   50,   51,   51,   49,   52,   49,   49,
-       49,   53,   49,   52,   49,   49,   54,   49,   49,   55,
-       56,   49,   49,   57,   52,   49,   58,   53,   49,   52,
-       54,   49,   56,   49,   49,   49,   49,   49,   49,   58,
-       52,   52,   52,   52,   52,   59,   49,   59,    0,   49,
-       49,   49,   49,   49,   49,   49,   49,   49,   49
+       51,    1,   52,   52,   53,   53,   51,   54,   51,   51,
+       51,   55,   51,   54,   51,   51,   56,   51,   51,   57,
+       58,   51,   51,   59,   54,   51,   60,   55,   51,   54,
+       56,   51,   58,   51,   51,   51,   51,   51,   51,   51,
+       51,   60,   54,   54,   54,   54,   54,   61,   51,   61,
+        0,   51,   51,   51,   51,   51,   51,   51,   51,   51,
+       51
     } ;
 
-static yyconst flex_int16_t yy_nxt[167] =
+static yyconst flex_int16_t yy_nxt[178] =
     {   0,
-        8,    9,   10,    9,   11,   12,   13,    8,    8,    8,
-        8,    8,    8,   14,    8,    8,    8,    8,    8,   15,
-       16,   18,   18,   18,   19,   18,   22,   20,   23,   45,
-       22,   24,   23,   44,   26,   24,   26,   46,   27,   46,
-       18,   18,   18,   18,   19,   18,   26,   20,   26,   48,
-       27,   48,   48,   43,   48,   42,   41,   29,   30,   29,
-       18,   35,   49,   49,   49,   36,   49,   49,   37,   38,
-       39,   17,   17,   17,   17,   17,   17,   17,   17,   21,
-       21,   21,   21,   21,   21,   21,   21,   25,   49,   49,
-       49,   49,   49,   25,   28,   28,   28,   28,   28,   28,
-
-       28,   28,   31,   49,   49,   49,   49,   31,   49,   31,
-       32,   32,   33,   33,   49,   33,   49,   33,   49,   33,
-       34,   34,   34,   34,   34,   34,   34,   34,   40,   40,
-       49,   40,   40,   40,   40,   40,   47,   47,   47,   47,
-       47,   49,   47,   47,    7,   49,   49,   49,   49,   49,
-       49,   49,   49,   49,   49,   49,   49,   49,   49,   49,
-       49,   49,   49,   49,   49,   49
+        8,    9,   10,    8,    9,   11,   12,   13,    8,    8,
+        8,    8,    8,    8,   14,    8,    8,    8,    8,    8,
+       15,   16,   18,   18,   47,   18,   19,   18,   22,   20,
+       22,   23,   26,   23,   24,   26,   24,   27,   48,   46,
+       45,   48,   18,   18,   18,   44,   18,   19,   18,   26,
+       20,   35,   26,   50,   27,   50,   50,   43,   50,   29,
+       30,   29,   51,   18,   35,   36,   51,   51,   51,   51,
+       51,   37,   51,   51,   51,   38,   51,   51,   39,   40,
+       41,   17,   17,   17,   17,   17,   17,   17,   17,   21,
+       21,   21,   21,   21,   21,   21,   21,   25,   51,   51,
+
+       51,   51,   51,   25,   28,   28,   28,   28,   28,   28,
+       28,   28,   31,   51,   51,   51,   51,   31,   51,   31,
+       32,   32,   33,   33,   51,   33,   51,   33,   51,   33,
+       34,   34,   34,   34,   34,   34,   34,   34,   42,   42,
+       51,   42,   42,   42,   42,   42,   49,   49,   49,   49,
+       49,   51,   49,   49,    7,   51,   51,   51,   51,   51,
+       51,   51,   51,   51,   51,   51,   51,   51,   51,   51,
+       51,   51,   51,   51,   51,   51,   51
     } ;
 
-static yyconst flex_int16_t yy_chk[167] =
+static yyconst flex_int16_t yy_chk[178] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    3,    3,    3,    3,    3,    5,    3,    5,   44,
-        6,    5,    6,   43,    9,    6,    9,   45,    9,   45,
-        3,    4,    4,    4,    4,    4,   26,    4,   26,   46,
-       26,   46,   48,   42,   48,   41,   30,   28,   14,   12,
-        4,   24,    7,    0,    0,   24,    0,    0,   24,   24,
-       24,   50,   50,   50,   50,   50,   50,   50,   50,   51,
-       51,   51,   51,   51,   51,   51,   51,   52,    0,    0,
-        0,    0,    0,   52,   53,   53,   53,   53,   53,   53,
-
-       53,   53,   54,    0,    0,    0,    0,   54,    0,   54,
-       55,   55,   56,   56,    0,   56,    0,   56,    0,   56,
-       57,   57,   57,   57,   57,   57,   57,   57,   58,   58,
-        0,   58,   58,   58,   58,   58,   59,   59,   59,   59,
-       59,    0,   59,   59,   49,   49,   49,   49,   49,   49,
-       49,   49,   49,   49,   49,   49,   49,   49,   49,   49,
-       49,   49,   49,   49,   49,   49
+        1,    1,    3,    3,   46,    3,    3,    3,    5,    3,
+        6,    5,    9,    6,    5,    9,    6,    9,   47,   45,
+       44,   47,    3,    4,    4,   43,    4,    4,    4,   26,
+        4,   36,   26,   48,   26,   50,   48,   30,   50,   28,
+       14,   12,    7,    4,   24,   24,    0,    0,    0,    0,
+        0,   24,    0,    0,    0,   24,    0,    0,   24,   24,
+       24,   52,   52,   52,   52,   52,   52,   52,   52,   53,
+       53,   53,   53,   53,   53,   53,   53,   54,    0,    0,
+
+        0,    0,    0,   54,   55,   55,   55,   55,   55,   55,
+       55,   55,   56,    0,    0,    0,    0,   56,    0,   56,
+       57,   57,   58,   58,    0,   58,    0,   58,    0,   58,
+       59,   59,   59,   59,   59,   59,   59,   59,   60,   60,
+        0,   60,   60,   60,   60,   60,   61,   61,   61,   61,
+       61,    0,   61,   61,   51,   51,   51,   51,   51,   51,
+       51,   51,   51,   51,   51,   51,   51,   51,   51,   51,
+       51,   51,   51,   51,   51,   51,   51
     } ;
 
 /* Table of booleans, true if rule could match eol. */
-static yyconst flex_int32_t yy_rule_can_match_eol[26] =
+static yyconst flex_int32_t yy_rule_can_match_eol[27] =
     {   0,
 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 
-    0, 0, 0, 1, 0, 0,     };
+    0, 0, 0, 1, 0, 0, 0,     };
 
-static yyconst flex_int16_t yy_rule_linenum[25] =
+static yyconst flex_int16_t yy_rule_linenum[26] =
     {   0,
        59,   60,   61,   63,   64,   65,   67,   72,   77,   85,
       105,  108,  111,  114,  120,  122,  123,  146,  147,  148,
-      149,  150,  151,  154
+      149,  150,  151,  152,  153
     } ;
 
 /* The intent behind this definition is that it'll catch
@@ -635,7 +640,7 @@ static void include_files(parser_helper_t *ctx);
 
 /* state used to scan quoted strings */
 
-#line 639 "settings/settings_lexer.c"
+#line 644 "settings/settings_lexer.c"
 
 #define INITIAL 0
 #define inc 1
@@ -947,7 +952,7 @@ YY_DECL
 #line 57 "settings/settings_lexer.l"
 
 
-#line 951 "settings/settings_lexer.c"
+#line 956 "settings/settings_lexer.c"
 
     yylval = yylval_param;
 
@@ -1012,13 +1017,13 @@ yy_match:
 			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 				{
 				yy_current_state = (int) yy_def[yy_current_state];
-				if ( yy_current_state >= 50 )
+				if ( yy_current_state >= 52 )
 					yy_c = yy_meta[(unsigned int) yy_c];
 				}
 			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
 			++yy_cp;
 			}
-		while ( yy_base[yy_current_state] != 145 );
+		while ( yy_base[yy_current_state] != 155 );
 
 yy_find_action:
 /* %% [10.0] code to find the action number goes here */
@@ -1053,13 +1058,13 @@ do_action:	/* This label is used only to access EOF actions. */
 			{
 			if ( yy_act == 0 )
 				fprintf( stderr, "--scanner backing up\n" );
-			else if ( yy_act < 25 )
+			else if ( yy_act < 26 )
 				fprintf( stderr, "--accepting rule at line %ld (\"%s\")\n",
 				         (long)yy_rule_linenum[yy_act], yytext );
-			else if ( yy_act == 25 )
+			else if ( yy_act == 26 )
 				fprintf( stderr, "--accepting default rule (\"%s\")\n",
 				         yytext );
-			else if ( yy_act == 26 )
+			else if ( yy_act == 27 )
 				fprintf( stderr, "--(end of buffer or a NUL)\n" );
 			else
 				fprintf( stderr, "--EOF (start condition %d)\n", YY_START );
@@ -1251,20 +1256,23 @@ case 23:
 /* rule 23 can match eol */
 YY_RULE_SETUP
 #line 151 "settings/settings_lexer.l"
-{
-		yyextra->string_add(yyextra, yytext+1);
-	}
+/* merge lines that end with EOL characters */
 	YY_BREAK
 case 24:
 YY_RULE_SETUP
-#line 154 "settings/settings_lexer.l"
+#line 152 "settings/settings_lexer.l"
+yyextra->string_add(yyextra, yytext+1);
+	YY_BREAK
+case 25:
+YY_RULE_SETUP
+#line 153 "settings/settings_lexer.l"
 {
 		yyextra->string_add(yyextra, yytext);
 	}
 	YY_BREAK
 
 case YY_STATE_EOF(INITIAL):
-#line 159 "settings/settings_lexer.l"
+#line 158 "settings/settings_lexer.l"
 {
 	settings_parser_pop_buffer_state(yyscanner);
 	if (!settings_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER)
@@ -1273,12 +1281,12 @@ case YY_STATE_EOF(INITIAL):
 	}
 }
 	YY_BREAK
-case 25:
+case 26:
 YY_RULE_SETUP
-#line 167 "settings/settings_lexer.l"
+#line 166 "settings/settings_lexer.l"
 YY_FATAL_ERROR( "flex scanner jammed" );
 	YY_BREAK
-#line 1282 "settings/settings_lexer.c"
+#line 1290 "settings/settings_lexer.c"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -1591,7 +1599,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 			{
 			yy_current_state = (int) yy_def[yy_current_state];
-			if ( yy_current_state >= 50 )
+			if ( yy_current_state >= 52 )
 				yy_c = yy_meta[(unsigned int) yy_c];
 			}
 		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
@@ -1625,11 +1633,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 		{
 		yy_current_state = (int) yy_def[yy_current_state];
-		if ( yy_current_state >= 50 )
+		if ( yy_current_state >= 52 )
 			yy_c = yy_meta[(unsigned int) yy_c];
 		}
 	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-	yy_is_jam = (yy_current_state == 49);
+	yy_is_jam = (yy_current_state == 51);
 
 	return yy_is_jam ? 0 : yy_current_state;
 }
@@ -2646,7 +2654,7 @@ void settings_parser_free (void * ptr , yyscan_t yyscanner)
 
 /* %ok-for-header */
 
-#line 167 "settings/settings_lexer.l"
+#line 166 "settings/settings_lexer.l"
 
 
 
diff --git a/src/libstrongswan/settings/settings_lexer.l b/src/libstrongswan/settings/settings_lexer.l
index c6546f464..176387f1f 100644
--- a/src/libstrongswan/settings/settings_lexer.l
+++ b/src/libstrongswan/settings/settings_lexer.l
@@ -148,9 +148,8 @@ static void include_files(parser_helper_t *ctx);
 	\\t     yyextra->string_add(yyextra, "\t");
 	\\b     yyextra->string_add(yyextra, "\b");
 	\\f     yyextra->string_add(yyextra, "\f");
-	\\(.|\n)			{
-		yyextra->string_add(yyextra, yytext+1);
-	}
+	\\\r?\n /* merge lines that end with EOL characters */
+	\\.     yyextra->string_add(yyextra, yytext+1);
 	[^\\\n"]+			{
 		yyextra->string_add(yyextra, yytext);
 	}
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 7ecba19da..8c081c673 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -29,6 +29,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_enum.c \
   suites/test_hashtable.c \
   suites/test_identification.c \
+  suites/test_traffic_selector.c \
   suites/test_threading.c \
   suites/test_process.c \
   suites/test_watcher.c \
@@ -40,6 +41,8 @@ tests_SOURCES = tests.h tests.c \
   suites/test_array.c \
   suites/test_ecdsa.c \
   suites/test_rsa.c \
+  suites/test_certpolicy.c \
+  suites/test_certnames.c \
   suites/test_host.c \
   suites/test_hasher.c \
   suites/test_crypter.c \
@@ -49,6 +52,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_asn1_parser.c \
   suites/test_printf.c \
   suites/test_test_rng.c \
+  suites/test_mgf1.c \
   suites/test_ntru.c
 
 tests_CFLAGS = \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 3268b5488..97e24bdb7 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -125,6 +125,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
 	suites/tests-test_enum.$(OBJEXT) \
 	suites/tests-test_hashtable.$(OBJEXT) \
 	suites/tests-test_identification.$(OBJEXT) \
+	suites/tests-test_traffic_selector.$(OBJEXT) \
 	suites/tests-test_threading.$(OBJEXT) \
 	suites/tests-test_process.$(OBJEXT) \
 	suites/tests-test_watcher.$(OBJEXT) \
@@ -136,6 +137,8 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
 	suites/tests-test_array.$(OBJEXT) \
 	suites/tests-test_ecdsa.$(OBJEXT) \
 	suites/tests-test_rsa.$(OBJEXT) \
+	suites/tests-test_certpolicy.$(OBJEXT) \
+	suites/tests-test_certnames.$(OBJEXT) \
 	suites/tests-test_host.$(OBJEXT) \
 	suites/tests-test_hasher.$(OBJEXT) \
 	suites/tests-test_crypter.$(OBJEXT) \
@@ -145,6 +148,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
 	suites/tests-test_asn1_parser.$(OBJEXT) \
 	suites/tests-test_printf.$(OBJEXT) \
 	suites/tests-test_test_rng.$(OBJEXT) \
+	suites/tests-test_mgf1.$(OBJEXT) \
 	suites/tests-test_ntru.$(OBJEXT)
 tests_OBJECTS = $(am_tests_OBJECTS)
 tests_DEPENDENCIES =  \
@@ -260,6 +264,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -320,10 +325,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -397,6 +404,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -480,6 +489,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_enum.c \
   suites/test_hashtable.c \
   suites/test_identification.c \
+  suites/test_traffic_selector.c \
   suites/test_threading.c \
   suites/test_process.c \
   suites/test_watcher.c \
@@ -491,6 +501,8 @@ tests_SOURCES = tests.h tests.c \
   suites/test_array.c \
   suites/test_ecdsa.c \
   suites/test_rsa.c \
+  suites/test_certpolicy.c \
+  suites/test_certnames.c \
   suites/test_host.c \
   suites/test_hasher.c \
   suites/test_crypter.c \
@@ -500,6 +512,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_asn1_parser.c \
   suites/test_printf.c \
   suites/test_test_rng.c \
+  suites/test_mgf1.c \
   suites/test_ntru.c
 
 tests_CFLAGS = \
@@ -603,6 +616,8 @@ suites/tests-test_hashtable.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_identification.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_traffic_selector.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_threading.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_process.$(OBJEXT): suites/$(am__dirstamp) \
@@ -625,6 +640,10 @@ suites/tests-test_ecdsa.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_certpolicy.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_certnames.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \
@@ -643,6 +662,8 @@ suites/tests-test_printf.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_test_rng.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_mgf1.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_ntru.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 
@@ -667,6 +688,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certnames.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certpolicy.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_chunk.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypter.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypto_factory.Po@am__quote@
@@ -680,6 +703,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_mgf1.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ntru.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_pen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_printf.Po@am__quote@
@@ -689,6 +713,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_stream.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_test_rng.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_threading.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_traffic_selector.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_utils.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_vectors.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_watcher.Po@am__quote@
@@ -879,6 +904,20 @@ suites/tests-test_identification.obj: suites/test_identification.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi`
 
+suites/tests-test_traffic_selector.o: suites/test_traffic_selector.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.o -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c
+
+suites/tests-test_traffic_selector.obj: suites/test_traffic_selector.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi`
+
 suites/tests-test_threading.o: suites/test_threading.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po
@@ -1033,6 +1072,34 @@ suites/tests-test_rsa.obj: suites/test_rsa.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi`
 
+suites/tests-test_certpolicy.o: suites/test_certpolicy.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c
+
+suites/tests-test_certpolicy.obj: suites/test_certpolicy.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi`
+
+suites/tests-test_certnames.o: suites/test_certnames.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c
+
+suites/tests-test_certnames.obj: suites/test_certnames.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi`
+
 suites/tests-test_host.o: suites/test_host.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po
@@ -1159,6 +1226,20 @@ suites/tests-test_test_rng.obj: suites/test_test_rng.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi`
 
+suites/tests-test_mgf1.o: suites/test_mgf1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c
+
+suites/tests-test_mgf1.obj: suites/test_mgf1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi`
+
 suites/tests-test_ntru.o: suites/test_ntru.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po
diff --git a/src/libstrongswan/tests/suites/test_certnames.c b/src/libstrongswan/tests/suites/test_certnames.c
new file mode 100644
index 000000000..e30702864
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_certnames.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <asn1/asn1.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * RSA private key, so we don't have to generate one
+ */
+static char keydata[] = {
+  0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24,
+  0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d,
+  0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf,
+  0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f,
+  0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27,
+  0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad,
+  0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63,
+  0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71,
+  0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01,
+  0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5,
+  0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4,
+  0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb,
+  0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f,
+  0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93,
+  0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88,
+  0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4,
+  0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd,
+  0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b,
+  0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21,
+  0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee,
+  0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7,
+  0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4,
+  0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54,
+  0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9,
+  0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7,
+  0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61,
+  0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef,
+  0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6,
+  0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08,
+  0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65,
+  0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e,
+  0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e,
+  0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d,
+  0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02,
+  0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b,
+  0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71,
+  0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda,
+  0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02,
+  0x49,0xe8,
+};
+
+/**
+ * Issue a certificate with permitted/excluded name constraints
+ */
+static certificate_t* create_cert(certificate_t *ca, char *subject, char *san,
+								x509_flag_t flags, identification_t *permitted,
+								identification_t *excluded)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+	certificate_t *cert;
+	identification_t *id;
+	linked_list_t *plist, *elist, *sans;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata),
+								 BUILD_END);
+	ck_assert(privkey);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey);
+	plist = linked_list_create();
+	if (permitted)
+	{
+		plist->insert_last(plist, permitted);
+	}
+	elist = linked_list_create();
+	if (excluded)
+	{
+		elist->insert_last(elist, excluded);
+	}
+	sans = linked_list_create();
+	if (san)
+	{
+		id = identification_create_from_string(san);
+		sans->insert_last(sans, id);
+	}
+	id = identification_create_from_string(subject);
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_SIGNING_KEY, privkey,
+						BUILD_PUBLIC_KEY, pubkey,
+						BUILD_SUBJECT, id,
+						BUILD_X509_FLAG, flags,
+						BUILD_SIGNING_CERT, ca,
+						BUILD_SUBJECT_ALTNAMES, sans,
+						BUILD_PERMITTED_NAME_CONSTRAINTS, plist,
+						BUILD_EXCLUDED_NAME_CONSTRAINTS, elist,
+						BUILD_END);
+	ck_assert(cert);
+	id->destroy(id);
+	sans->destroy_offset(sans, offsetof(identification_t, destroy));
+	plist->destroy_offset(plist, offsetof(identification_t, destroy));
+	elist->destroy_offset(elist, offsetof(identification_t, destroy));
+	privkey->destroy(privkey);
+	pubkey->destroy(pubkey);
+
+	return cert;
+}
+
+/**
+ * Check if a certificate with given subject has a valid trustchain
+ */
+static bool check_trust(identification_t *subject)
+{
+	enumerator_t *certs;
+	certificate_t *cert;
+	bool trusted;
+
+	certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
+													subject, FALSE);
+	trusted = certs->enumerate(certs, &cert, NULL);
+	certs->destroy(certs);
+
+	return trusted;
+}
+
+static mem_cred_t *creds;
+
+START_SETUP(setup)
+{
+	creds = mem_cred_create();
+	lib->credmgr->add_set(lib->credmgr, &creds->set);
+}
+END_SETUP
+
+START_TEARDOWN(teardown)
+{
+	lib->credmgr->remove_set(lib->credmgr, &creds->set);
+	creds->destroy(creds);
+	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
+}
+END_TEARDOWN
+
+static struct {
+	char *constraint;
+	char *subject;
+	bool good;
+} permitted_dn[] = {
+	{ "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", TRUE },
+	{ "C=CH, O=strongSwan", "C=CH, O=strong", FALSE },
+	{ "C=CH, O=strongSwan", "C=CH, O=strong, CN=tester", FALSE },
+	{ "C=CH, O=strongSwan", "C=CH, O=another, CN=tester", FALSE },
+	{ "C=CH, O=strongSwan", "C=CH, CN=tester, O=strongSwan", FALSE },
+};
+
+START_TEST(test_permitted_dn)
+{
+	certificate_t *ca, *im, *sj;
+	identification_t *id;
+
+	id = identification_create_from_string(permitted_dn[_i].constraint);
+	ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, id, NULL);
+	id = identification_create_from_string(permitted_dn[_i].constraint);
+	im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, id, NULL);
+	sj = create_cert(im, permitted_dn[_i].subject, NULL, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_trust(sj->get_subject(sj)) == permitted_dn[_i].good);
+}
+END_TEST
+
+static struct {
+	id_type_t ctype;
+	char *cdata;
+	char *subject;
+	bool good;
+} permitted_san[] = {
+	{ ID_FQDN, ".strongswan.org", "test.strongswan.org", TRUE },
+	{ ID_FQDN, "strongswan.org", "test.strongswan.org", TRUE },
+	{ ID_FQDN, "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", TRUE },
+	{ ID_FQDN, "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", FALSE },
+	{ ID_FQDN, "strongswan.org", "strongswan.org.com", FALSE },
+	{ ID_FQDN, ".strongswan.org", "strongswan.org", FALSE },
+	{ ID_FQDN, "strongswan.org", "nostrongswan.org", FALSE },
+	{ ID_FQDN, "strongswan.org", "swan.org", FALSE },
+	{ ID_FQDN, "strongswan.org", "swan.org", FALSE },
+	{ ID_RFC822_ADDR, "tester@strongswan.org", "tester@strongswan.org", TRUE },
+	{ ID_RFC822_ADDR, "tester@strongswan.org", "atester@strongswan.org", FALSE },
+	{ ID_RFC822_ADDR, "strongswan.org", "tester@strongswan.org", TRUE },
+	{ ID_RFC822_ADDR, "strongswan.org", "tester@test.strongswan.org", FALSE },
+	{ ID_RFC822_ADDR, ".strongswan.org", "tester@test.strongswan.org", TRUE },
+	{ ID_RFC822_ADDR, ".strongswan.org", "tester@strongswan.org", FALSE },
+};
+
+START_TEST(test_permitted_san)
+{
+	certificate_t *ca, *sj;
+	identification_t *id;
+
+	id = identification_create_from_encoding(permitted_san[_i].ctype,
+									chunk_from_str(permitted_san[_i].cdata));
+	ca = create_cert(NULL, "CN=CA", NULL, X509_CA, id, NULL);
+	sj = create_cert(ca, "CN=SJ", permitted_san[_i].subject, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_trust(sj->get_subject(sj)) == permitted_san[_i].good);
+}
+END_TEST
+
+static struct {
+	char *constraint;
+	char *subject;
+	bool good;
+} excluded_dn[] = {
+	{ "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", TRUE },
+	{ "C=CH, O=another", "C=CH, O=anot", TRUE },
+	{ "C=CH, O=another", "C=CH, O=anot, CN=tester", TRUE },
+	{ "C=CH, O=another", "C=CH, O=another, CN=tester", FALSE },
+	{ "C=CH, O=another", "C=CH, CN=tester, O=another", TRUE },
+};
+
+START_TEST(test_excluded_dn)
+{
+	certificate_t *ca, *im, *sj;
+	identification_t *id;
+
+	id = identification_create_from_string(excluded_dn[_i].constraint);
+	ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, NULL, id);
+	id = identification_create_from_string(excluded_dn[_i].constraint);
+	im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, NULL, id);
+	sj = create_cert(im, excluded_dn[_i].subject, NULL, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_trust(sj->get_subject(sj)) == excluded_dn[_i].good);
+}
+END_TEST
+
+static struct {
+	id_type_t ctype;
+	char *cdata;
+	char *subject;
+	bool good;
+} excluded_san[] = {
+	{ ID_FQDN, ".strongswan.org", "test.strongswan.org", FALSE },
+	{ ID_FQDN, "strongswan.org", "test.strongswan.org", FALSE },
+	{ ID_FQDN, "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", FALSE },
+	{ ID_FQDN, "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", TRUE },
+	{ ID_FQDN, "strongswan.org", "strongswan.org.com", TRUE },
+	{ ID_FQDN, ".strongswan.org", "strongswan.org", TRUE },
+	{ ID_FQDN, "strongswan.org", "nostrongswan.org", TRUE },
+	{ ID_FQDN, "strongswan.org", "swan.org", TRUE },
+	{ ID_FQDN, "strongswan.org", "swan.org", TRUE },
+	{ ID_RFC822_ADDR, "tester@strongswan.org", "tester@strongswan.org", FALSE },
+	{ ID_RFC822_ADDR, "tester@strongswan.org", "atester@strongswan.org", TRUE },
+	{ ID_RFC822_ADDR, "strongswan.org", "tester@strongswan.org", FALSE },
+	{ ID_RFC822_ADDR, "strongswan.org", "tester@test.strongswan.org", TRUE },
+	{ ID_RFC822_ADDR, ".strongswan.org", "tester@test.strongswan.org", FALSE },
+	{ ID_RFC822_ADDR, ".strongswan.org", "tester@strongswan.org", TRUE },
+};
+
+START_TEST(test_excluded_san)
+{
+	certificate_t *ca, *sj;
+	identification_t *id;
+
+	id = identification_create_from_encoding(excluded_san[_i].ctype,
+									chunk_from_str(excluded_san[_i].cdata));
+	ca = create_cert(NULL, "CN=CA", NULL, X509_CA, NULL, id);
+	sj = create_cert(ca, "CN=SJ", excluded_san[_i].subject, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_trust(sj->get_subject(sj)) == excluded_san[_i].good);
+}
+END_TEST
+
+static struct {
+	char *caconst;
+	char *imconst;
+	char *subject;
+	bool good;
+} permitted_dninh[] = {
+	{ "C=CH", "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", TRUE },
+	{ "C=CH", "C=DE, O=strongSwan", "C=CH, O=strongSwan, CN=tester", FALSE },
+	{ "C=CH, O=strongSwan", "C=CH", "C=CH", FALSE },
+};
+
+START_TEST(test_permitted_dninh)
+{
+	certificate_t *ca, *im, *sj;
+	identification_t *id;
+
+	id = identification_create_from_string(permitted_dninh[_i].caconst);
+	ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, id, NULL);
+	id = identification_create_from_string(permitted_dninh[_i].imconst);
+	im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, id, NULL);
+	sj = create_cert(im, permitted_dninh[_i].subject, NULL, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_trust(sj->get_subject(sj)) == permitted_dninh[_i].good);
+}
+END_TEST
+
+static struct {
+	char *caconst;
+	char *imconst;
+	char *subject;
+	bool good;
+} excluded_dninh[] = {
+	{ "C=CH, O=strongSwan", "C=CH", "C=DE", TRUE },
+	{ "C=CH, O=strongSwan", "C=DE", "C=CH", FALSE },
+	{ "C=CH", "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", FALSE },
+};
+
+START_TEST(test_excluded_dninh)
+{
+	certificate_t *ca, *im, *sj;
+	identification_t *id;
+
+	id = identification_create_from_string(excluded_dninh[_i].caconst);
+	ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, NULL, id);
+	id = identification_create_from_string(excluded_dninh[_i].imconst);
+	im = create_cert(ca, "C=DE, CN=IM", NULL, X509_CA, NULL, id);
+	sj = create_cert(im, excluded_dninh[_i].subject, NULL, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_trust(sj->get_subject(sj)) == excluded_dninh[_i].good);
+}
+END_TEST
+
+Suite *certnames_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("certnames");
+
+	tc = tcase_create("permitted DN name constraints");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_loop_test(tc, test_permitted_dn, 0, countof(permitted_dn));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("permitted subjectAltName constraints");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_loop_test(tc, test_permitted_san, 0, countof(permitted_san));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("excluded DN constraints");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_loop_test(tc, test_excluded_dn, 0, countof(excluded_dn));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("excluded subjectAltName constraints");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_loop_test(tc, test_excluded_san, 0, countof(excluded_san));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("permitted DN name constraint inherit");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_loop_test(tc, test_permitted_dninh, 0, countof(permitted_dninh));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("excluded DN name constraint inherit");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_loop_test(tc, test_excluded_dninh, 0, countof(excluded_dninh));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_certpolicy.c b/src/libstrongswan/tests/suites/test_certpolicy.c
new file mode 100644
index 000000000..7501e1a8b
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_certpolicy.c
@@ -0,0 +1,637 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <asn1/asn1.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * RSA private key, so we don't have to generate one
+ */
+static char keydata[] = {
+  0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24,
+  0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d,
+  0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf,
+  0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f,
+  0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27,
+  0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad,
+  0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63,
+  0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71,
+  0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01,
+  0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5,
+  0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4,
+  0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb,
+  0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f,
+  0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93,
+  0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88,
+  0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4,
+  0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd,
+  0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b,
+  0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21,
+  0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee,
+  0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7,
+  0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4,
+  0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54,
+  0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9,
+  0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7,
+  0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61,
+  0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef,
+  0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6,
+  0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08,
+  0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65,
+  0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e,
+  0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e,
+  0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d,
+  0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02,
+  0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b,
+  0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71,
+  0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda,
+  0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02,
+  0x49,0xe8,
+};
+
+/**
+ * Issue a certificate fr given policy, including extended flags
+ */
+static certificate_t* create_cert_ext(certificate_t *ca, char *subject,
+									  char *oid, x509_flag_t flags,
+									  char *map_s, char *map_i,
+									  u_int require_explicit,
+									  u_int inhibit_mapping,
+									  u_int inhibit_any)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+	certificate_t *cert;
+	identification_t *id;
+	linked_list_t *policies, *maps;
+	x509_cert_policy_t policy = {};
+	x509_policy_mapping_t map = {};
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata),
+								 BUILD_END);
+	ck_assert(privkey);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey);
+	policies = linked_list_create();
+	if (oid)
+	{
+		policy.oid = asn1_oid_from_string(oid);
+		ck_assert(policy.oid.ptr);
+		policies->insert_last(policies, &policy);
+	}
+	maps = linked_list_create();
+	if (map_s && map_i)
+	{
+		map.subject = asn1_oid_from_string(map_s);
+		ck_assert(map.subject.ptr);
+		map.issuer = asn1_oid_from_string(map_i);
+		ck_assert(map.issuer.ptr);
+		maps->insert_last(maps, &map);
+	}
+	id = identification_create_from_string(subject);
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+						BUILD_SIGNING_KEY, privkey,
+						BUILD_PUBLIC_KEY, pubkey,
+						BUILD_SUBJECT, id,
+						BUILD_X509_FLAG, flags,
+						BUILD_CERTIFICATE_POLICIES, policies,
+						BUILD_POLICY_MAPPINGS, maps,
+						BUILD_SIGNING_CERT, ca,
+						BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
+						BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
+						BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+						BUILD_END);
+	ck_assert(cert);
+	id->destroy(id);
+	policies->destroy(policies);
+	maps->destroy(maps);
+	privkey->destroy(privkey);
+	pubkey->destroy(pubkey);
+	free(policy.oid.ptr);
+	free(map.subject.ptr);
+	free(map.issuer.ptr);
+
+	return cert;
+}
+
+/**
+ * Issue a certificate with given certificate policy and flags
+ */
+static certificate_t* create_cert(certificate_t *ca, char *subject,
+								  char *oid, x509_flag_t flags,
+								  char *map_s, char *map_i)
+{
+	return create_cert_ext(ca, subject, oid, flags, map_s, map_i,
+						   X509_NO_CONSTRAINT, X509_NO_CONSTRAINT,
+						   X509_NO_CONSTRAINT);
+}
+
+/**
+ * Check if a certificate with given subject has an oid
+ */
+static bool check_oid(identification_t *subject, char *oid)
+{
+	enumerator_t *certs, *auths;
+	certificate_t *cert;
+	auth_cfg_t *auth;
+	bool found = FALSE;
+	auth_rule_t type;
+	char *current;
+
+	certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
+													subject, FALSE);
+	if (!certs->enumerate(certs, &cert, &auth))
+	{
+		certs->destroy(certs);
+		ck_assert_msg(FALSE, "no trusted certificate found for %Y", subject);
+	}
+	auths = auth->create_enumerator(auth);
+	while (auths->enumerate(auths, &type, &current))
+	{
+		if (type == AUTH_RULE_CERT_POLICY)
+		{
+			if (streq(current, oid))
+			{
+				found = TRUE;
+				break;
+			}
+		}
+	}
+	auths->destroy(auths);
+	certs->destroy(certs);
+
+	return found;
+}
+
+/**
+ * Check if a certificate with given subject has a valid trustchain
+ */
+static bool check_trust(identification_t *subject)
+{
+	enumerator_t *certs;
+	certificate_t *cert;
+	bool trusted;
+
+	certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
+													subject, FALSE);
+	trusted = certs->enumerate(certs, &cert, NULL);
+	certs->destroy(certs);
+
+	return trusted;
+}
+
+static mem_cred_t *creds;
+
+static char *anyPolicy = "2.5.29.32.0";
+static char *extended = "2.23.140.1.1";
+static char *baseline = "2.23.140.1.2";
+
+START_SETUP(setup)
+{
+	creds = mem_cred_create();
+	lib->credmgr->add_set(lib->credmgr, &creds->set);
+}
+END_SETUP
+
+START_TEARDOWN(teardown)
+{
+	lib->credmgr->remove_set(lib->credmgr, &creds->set);
+	creds->destroy(creds);
+	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
+}
+END_TEARDOWN
+
+START_TEST(test_valid_fixed)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_valid_any1)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_valid_any2)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_missing)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_wrong)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), extended));
+}
+END_TEST
+
+START_TEST(test_invalid_any1)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_any2)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", anyPolicy, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_badchain_wrong)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", extended, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), baseline));
+	ck_assert(!check_oid(sj->get_subject(sj), extended));
+}
+END_TEST
+
+START_TEST(test_badchain_gap)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", NULL, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_badchain_any)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), extended));
+}
+END_TEST
+
+START_TEST(test_valid_mapping)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_valid_mapping_twice)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", "2.23.140.1.3", X509_CA,
+					 extended, "2.23.140.1.3");
+	im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_mapping_loop)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, baseline);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_mapping_notallowed)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_mapping_nopolicy)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+	im = create_cert(ca, "CN=IM", "2.23.140.1.3", X509_CA, baseline, extended);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_inhibit_mapping_good)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
+						 X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
+	im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_inhibit_mapping_bad)
+{
+	certificate_t *ca, *i1, *i2, *sj;
+
+	ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
+						 X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
+	i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL);
+	i2 = create_cert(i1, "CN=IM2", extended, X509_CA, baseline, extended);
+	sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, i1);
+	creds->add_cert(creds, FALSE, i2);
+	creds->add_cert(creds, FALSE, sj);
+
+	/* TODO: we currently reject the certificate completely, but should
+	 * actually just invalidate the policy not mapped properly */
+	ck_assert(!check_trust(sj->get_subject(sj)));
+}
+END_TEST
+
+START_TEST(test_inhibit_any_good)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
+						 X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1);
+	im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_inhibit_any_bad)
+{
+	certificate_t *ca, *i1, *i2, *sj;
+
+	ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
+						 X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1);
+	i1 = create_cert(ca, "CN=IM1", anyPolicy, X509_CA, NULL, NULL);
+	i2 = create_cert(i1, "CN=IM2", anyPolicy, X509_CA, NULL, NULL);
+	sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, i1);
+	creds->add_cert(creds, FALSE, i2);
+	creds->add_cert(creds, FALSE, sj);
+
+	/* TODO: we currently reject the certificate completely, but should
+	 * actually just invalidate the policy relying on inhibited anyPolicy */
+	ck_assert(!check_trust(sj->get_subject(sj)));
+}
+END_TEST
+
+START_TEST(test_require_explicit_good)
+{
+	certificate_t *ca, *im, *sj;
+
+	ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
+						 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT);
+	im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+	sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, im);
+	creds->add_cert(creds, FALSE, sj);
+
+	ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_require_explicit_bad)
+{
+	certificate_t *ca, *i1, *i2, *sj;
+
+	ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
+						 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT);
+	i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL);
+	i2 = create_cert(i1, "CN=IM2", extended, X509_CA, NULL, NULL);
+	sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
+
+	creds->add_cert(creds, TRUE, ca);
+	creds->add_cert(creds, FALSE, i1);
+	creds->add_cert(creds, FALSE, i2);
+	creds->add_cert(creds, FALSE, sj);
+
+	/* TODO: we currently reject the certificate completely, but should
+	 * actually just invalidate the policy violating requireExplicit */
+	ck_assert(!check_trust(sj->get_subject(sj)));
+}
+END_TEST
+
+Suite *certpolicy_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("certpolicy");
+
+	tc = tcase_create("policy valid");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_test(tc, test_valid_fixed);
+	tcase_add_test(tc, test_valid_any1);
+	tcase_add_test(tc, test_valid_any2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("policy invalid");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_test(tc, test_invalid_missing);
+	tcase_add_test(tc, test_invalid_wrong);
+	tcase_add_test(tc, test_invalid_any1);
+	tcase_add_test(tc, test_invalid_any2);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("policy badchain");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_test(tc, test_badchain_wrong);
+	tcase_add_test(tc, test_badchain_gap);
+	tcase_add_test(tc, test_badchain_any);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("policy valid mapping");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_test(tc, test_valid_mapping);
+	tcase_add_test(tc, test_valid_mapping_twice);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("policy invalid mapping");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_test(tc, test_invalid_mapping_loop);
+	tcase_add_test(tc, test_invalid_mapping_notallowed);
+	tcase_add_test(tc, test_invalid_mapping_nopolicy);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("inhibit policy mapping");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_test(tc, test_inhibit_mapping_good);
+	tcase_add_test(tc, test_inhibit_mapping_bad);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("inhibit any policy");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_test(tc, test_inhibit_any_good);
+	tcase_add_test(tc, test_inhibit_any_bad);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("require explicit policy");
+	tcase_add_checked_fixture(tc, setup, teardown);
+	tcase_add_test(tc, test_require_explicit_good);
+	tcase_add_test(tc, test_require_explicit_bad);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c
index d71e010a2..b5d23658d 100644
--- a/src/libstrongswan/tests/suites/test_chunk.c
+++ b/src/libstrongswan/tests/suites/test_chunk.c
@@ -787,6 +787,11 @@ END_TEST
  * test for chunk_internet_checksum[_inc]()
  */
 
+static inline u_int16_t compensate_alignment(u_int16_t val)
+{
+	return ((val & 0xff) << 8) | (val >> 8);
+}
+
 START_TEST(test_chunk_internet_checksum)
 {
 	chunk_t chunk;
@@ -804,9 +809,9 @@ START_TEST(test_chunk_internet_checksum)
 
 	/* need to compensate for even/odd alignment */
 	sum = chunk_internet_checksum(chunk_create(chunk.ptr, 9));
-	sum = ntohs(sum);
+	sum = compensate_alignment(sum);
 	sum = chunk_internet_checksum_inc(chunk_create(chunk.ptr+9, 11), sum);
-	sum = ntohs(sum);
+	sum = compensate_alignment(sum);
 	ck_assert_int_eq(0x442e, ntohs(sum));
 
 	chunk = chunk_from_chars(0x45,0x00,0x00,0x30,0x44,0x22,0x40,0x00,0x80,0x06,
@@ -821,9 +826,9 @@ START_TEST(test_chunk_internet_checksum)
 
 	/* need to compensate for even/odd alignment */
 	sum = chunk_internet_checksum(chunk_create(chunk.ptr, 9));
-	sum = ntohs(sum);
+	sum = compensate_alignment(sum);
 	sum = chunk_internet_checksum_inc(chunk_create(chunk.ptr+9, 10), sum);
-	sum = ntohs(sum);
+	sum = compensate_alignment(sum);
 	ck_assert_int_eq(0x4459, ntohs(sum));
 }
 END_TEST
diff --git a/src/libstrongswan/tests/suites/test_enum.c b/src/libstrongswan/tests/suites/test_enum.c
index b48b51c0e..53ebd2931 100644
--- a/src/libstrongswan/tests/suites/test_enum.c
+++ b/src/libstrongswan/tests/suites/test_enum.c
@@ -58,6 +58,39 @@ ENUM_NEXT(test_enum_split_names, SPLIT5, SPLIT5, SPLIT4,
 ENUM_END(test_enum_split_names, SPLIT5);
 
 /*******************************************************************************
+ * enum flags
+ */
+enum {
+	FLAG1 = (1 << 0),
+	FLAG2 = (1 << 1),
+	FLAG3 = (1 << 2),
+	FLAG4 = (1 << 3),
+	FLAG5 = (1 << 4),
+	FLAG6 = (1 << 5),
+	FLAG7 = (1 << 6),
+	FLAG8 = (1 << 7),
+	FLAG9 = (1 << 8),
+	FLAG10 = (1 << 9),
+	FLAG11 = (1 << 10),
+	FLAG12 = (1 << 11),
+} test_enum_flags;
+
+ENUM_FLAGS(test_enum_flags_names, FLAG1, FLAG5,
+	"FLAG1", "FLAG2", "FLAG3", "FLAG4", "FLAG5");
+
+ENUM_FLAGS(test_enum_flags_incomplete_names, FLAG3, FLAG4,
+	"FLAG3", "FLAG4");
+
+ENUM_FLAGS(test_enum_flags_null_names, FLAG1, FLAG4,
+	"FLAG1", NULL, "FLAG3", NULL);
+
+ENUM_FLAGS(test_enum_flags_overflow_names, FLAG1, FLAG12,
+	"OVERFLOWFLAGLONGNAME1",  "OVERFLOWFLAGLONGNAME2",  "OVERFLOWFLAGLONGNAME3",
+	"OVERFLOWFLAGLONGNAME4",  "OVERFLOWFLAGLONGNAME5",  "OVERFLOWFLAGLONGNAME6",
+	"OVERFLOWFLAGLONGNAME7",  "OVERFLOWFLAGLONGNAME8",  "OVERFLOWFLAGLONGNAME9",
+	"OVERFLOWFLAGLONGNAME10", "OVERFLOWFLAGLONGNAME11", "OVERFLOWFLAGLONGNAME12");
+
+/*******************************************************************************
  * enum_to_name
  */
 
@@ -198,11 +231,52 @@ static struct {
 	{256, "(256)"},
 };
 
+/*******************************************************************************
+ * flag_to_name
+ */
+
+static struct {
+	int val;
+	char *str;
+} printf_tests_flags[] = {
+	{0, "(unset)"},
+	{FLAG1, "FLAG1"},
+	{FLAG2, "FLAG2"},
+	{FLAG3, "FLAG3"},
+	{FLAG4, "FLAG4"},
+	{FLAG5, "FLAG5"},
+	{FLAG1 | FLAG3, "FLAG1 | FLAG3"},
+	{FLAG1 | FLAG3 | 32, "FLAG1 | FLAG3 | (0x20)"},
+	{FLAG1 | FLAG3 | 32 | 64, "FLAG1 | FLAG3 | (0x20) | (0x40)"},
+	{0x20, "(0x20)"},
+	{0x80000000, "(0x80000000)"},
+	{0xFFFFF, "FLAG1 | FLAG2 | FLAG3 | FLAG4 | "
+			  "FLAG5 | (0x20) | (0x40) | (0x80) | "
+			 "(0x100) | (0x200) | (0x400) | (0x800) | "
+			 "(0x1000) | (0x2000) | (0x4000) | (0x8000) | "
+			 "(0x10000) | (0x20000) | (0x40000) | (0x80000)"},
+}, printf_tests_flags_incomplete[] = {
+	{FLAG1, "(0x1)"},
+	{FLAG1 | FLAG2 | FLAG3, "(0x1) | (0x2) | FLAG3"},
+	{FLAG3 | FLAG4 | FLAG5, "FLAG3 | FLAG4 | (0x10)"},
+}, printf_tests_flags_null[] = {
+	{FLAG1 | FLAG2 | FLAG3 | FLAG4, "FLAG1 | FLAG3"},
+}, printf_tests_flags_overflow[] = {
+	{0xFFFFFFFF, "(0xFFFFFFFF)"},
+}, printf_tests_flags_noflagenum[] = {
+	{-1, "(-1)"},
+	{6435, "(6435)"},
+}, enum_flags_to_string_tests[] = {
+	{-1, NULL},
+	{6435, NULL},
+};
+
 START_TEST(test_enum_printf_hook_cont)
 {
 	char buf[128];
 
-	snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, printf_tests_cont[_i].val);
+	snprintf(buf, sizeof(buf), "%N",
+			 test_enum_cont_names, printf_tests_cont[_i].val);
 	ck_assert_str_eq(printf_tests_cont[_i].str, buf);
 }
 END_TEST
@@ -211,11 +285,89 @@ START_TEST(test_enum_printf_hook_split)
 {
 	char buf[128];
 
-	snprintf(buf, sizeof(buf), "%N", test_enum_split_names, printf_tests_split[_i].val);
+	snprintf(buf, sizeof(buf), "%N",
+			 test_enum_split_names, printf_tests_split[_i].val);
 	ck_assert_str_eq(printf_tests_split[_i].str, buf);
 }
 END_TEST
 
+START_TEST(test_enum_printf_hook_flags)
+{
+	char buf[1024];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_flags_names,
+			 printf_tests_flags[_i].val);
+	ck_assert_str_eq(printf_tests_flags[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_flags_incomplete)
+{
+	char buf[1024];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_flags_incomplete_names,
+			 printf_tests_flags_incomplete[_i].val);
+	ck_assert_str_eq(printf_tests_flags_incomplete[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_flags_null)
+{
+	char buf[1024];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_flags_null_names,
+			 printf_tests_flags_null[_i].val);
+	ck_assert_str_eq(printf_tests_flags_null[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_flags_overflow)
+{
+	char buf[1024];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_flags_overflow_names,
+			 printf_tests_flags_overflow[_i].val);
+	ck_assert_str_eq(printf_tests_flags_overflow[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_flags_noflagenum)
+{
+	char buf[1024];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_cont_names,
+			 printf_tests_flags_noflagenum[_i].val);
+	ck_assert_str_eq(printf_tests_flags_noflagenum[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_flags_to_string)
+{
+	char buf[1], *str;
+
+	str = enum_flags_to_string(test_enum_flags_names,
+			enum_flags_to_string_tests[_i].val, buf, sizeof(buf));
+	if (str)
+	{
+		ck_assert_str_eq(enum_flags_to_string_tests[_i].str, str);
+	}
+	else
+	{
+		ck_assert(str == enum_flags_to_string_tests[_i].str);
+	}
+}
+END_TEST
+
+START_TEST(test_enum_flags_to_string_noflagenum)
+{
+	char buf[1024];
+
+	enum_flags_to_string(test_enum_cont_names,
+			printf_tests_flags_noflagenum[_i].val, buf, sizeof(buf));
+	ck_assert_str_eq(printf_tests_flags_noflagenum[_i].str, buf);
+}
+END_TEST
+
 START_TEST(test_enum_printf_hook_width)
 {
 	char buf[128];
@@ -246,9 +398,19 @@ Suite *enum_suite_create()
 	tcase_add_loop_test(tc, test_enum_from_name_split, 0, countof(enum_tests_split));
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("enum_flags_to_string");
+	tcase_add_loop_test(tc, test_enum_flags_to_string, 0, countof(enum_flags_to_string_tests));
+	tcase_add_loop_test(tc, test_enum_flags_to_string_noflagenum, 0, countof(printf_tests_flags_noflagenum));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("enum_printf_hook");
 	tcase_add_loop_test(tc, test_enum_printf_hook_cont, 0, countof(printf_tests_cont));
 	tcase_add_loop_test(tc, test_enum_printf_hook_split, 0, countof(printf_tests_split));
+	tcase_add_loop_test(tc, test_enum_printf_hook_flags, 0, countof(printf_tests_flags));
+	tcase_add_loop_test(tc, test_enum_printf_hook_flags_incomplete, 0, countof(printf_tests_flags_incomplete));
+	tcase_add_loop_test(tc, test_enum_printf_hook_flags_null, 0, countof(printf_tests_flags_null));
+	tcase_add_loop_test(tc, test_enum_printf_hook_flags_overflow, 0, countof(printf_tests_flags_overflow));
+	tcase_add_loop_test(tc, test_enum_printf_hook_flags_noflagenum, 0, countof(printf_tests_flags_noflagenum));
 	tcase_add_test(tc, test_enum_printf_hook_width);
 	suite_add_tcase(s, tc);
 
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
index 41a9d64ef..14cc32122 100644
--- a/src/libstrongswan/tests/suites/test_hasher.c
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -48,6 +48,9 @@ static hasher_oid_t oids[] = {
 	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },
 	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },
 	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },
+	{ OID_BLISS_WITH_SHA256, HASH_SHA256, KEY_BLISS },
+	{ OID_BLISS_WITH_SHA384, HASH_SHA384, KEY_BLISS },
+	{ OID_BLISS_WITH_SHA512, HASH_SHA512, KEY_BLISS },
 	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }
 };
 
diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c
index 63442083a..7161b2c5b 100644
--- a/src/libstrongswan/tests/suites/test_host.c
+++ b/src/libstrongswan/tests/suites/test_host.c
@@ -237,6 +237,48 @@ START_TEST(test_create_from_string_and_family_other)
 END_TEST
 
 /*******************************************************************************
+ * host_create_from_dns
+ */
+
+static void test_create_from_dns(int family, chunk_t addr)
+{
+	host_t *host;
+
+	host = host_create_from_dns("localhost", family, 500);
+	if (family != AF_INET6)
+	{
+		ck_assert(host != NULL);
+	}
+	if (host)
+	{
+		if (family != AF_UNSPEC)
+		{
+			verify_address(host, addr, family, 500);
+		}
+		host->destroy(host);
+	}
+}
+
+START_TEST(test_create_from_dns_any)
+{
+	test_create_from_dns(AF_UNSPEC, chunk_empty);
+}
+END_TEST
+
+START_TEST(test_create_from_dns_v4)
+{
+	test_create_from_dns(AF_INET, chunk_from_chars(127,0,0,1));
+}
+END_TEST
+
+START_TEST(test_create_from_dns_v6)
+{
+	test_create_from_dns(AF_INET6,
+						 chunk_from_chars(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1));
+}
+END_TEST
+
+/*******************************************************************************
  * host_create_from_sockaddr
  */
 
@@ -400,6 +442,90 @@ START_TEST(test_create_from_subnet_v6)
 END_TEST
 
 /*******************************************************************************
+ * host_create_from_range
+ */
+
+static const chunk_t addr_v4_to = chunk_from_chars(0xc0, 0xa8, 0x00, 0x05);
+static const chunk_t addr_v6_to = chunk_from_chars(0xfe, 0xc1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+												   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05);
+
+static void verify_range(char *str, int family, chunk_t from_addr,
+						 chunk_t to_addr)
+{
+	host_t *from, *to;
+
+	if (!family)
+	{
+		ck_assert(!host_create_from_range(str, &from, &to));
+	}
+	else
+	{
+		ck_assert(host_create_from_range(str, &from, &to));
+		verify_address(from, from_addr, family, 0);
+		verify_address(to, to_addr, family, 0);
+		from->destroy(from);
+		to->destroy(to);
+	}
+}
+
+START_TEST(test_create_from_range_v4)
+{
+	host_t *from, *to;
+
+	ck_assert(host_create_from_range("0.0.0.0-0.0.0.0", &from, &to));
+	verify_any(from, AF_INET, 0);
+	verify_any(to, AF_INET, 0);
+	from->destroy(from);
+	to->destroy(to);
+
+	verify_range("192.168.0.1-192.168.0.1", AF_INET, addr_v4, addr_v4);
+	verify_range("192.168.0.1-192.168.0.5", AF_INET, addr_v4, addr_v4_to);
+	verify_range("192.168.0.1- 192.168.0.5", AF_INET, addr_v4, addr_v4_to);
+	verify_range("192.168.0.1 -192.168.0.5", AF_INET, addr_v4, addr_v4_to);
+	verify_range("192.168.0.1 - 192.168.0.5", AF_INET, addr_v4, addr_v4_to);
+	verify_range("192.168.0.5-192.168.0.1", AF_INET, addr_v4_to, addr_v4);
+
+	verify_range("192.168.0.1", 0, chunk_empty, chunk_empty);
+	verify_range("192.168.0.1-", 0, chunk_empty, chunk_empty);
+	verify_range("-192.168.0.1", 0, chunk_empty, chunk_empty);
+	verify_range("192.168.0.1-192", 0, chunk_empty, chunk_empty);
+	verify_range("192.168.0.1-192.168", 0, chunk_empty, chunk_empty);
+	verify_range("192.168.0.1-192.168.0", 0, chunk_empty, chunk_empty);
+	verify_range("foo.b.a.r", 0, chunk_empty, chunk_empty);
+	verify_range("foo.b.a.r-b.a.r.f", 0, chunk_empty, chunk_empty);
+}
+END_TEST
+
+START_TEST(test_create_from_range_v6)
+{
+	host_t *from, *to;
+
+	ck_assert(host_create_from_range("::-::", &from, &to));
+	verify_any(from, AF_INET6, 0);
+	verify_any(to, AF_INET6, 0);
+	from->destroy(from);
+	to->destroy(to);
+
+	verify_range("fec1::1-fec1::1", AF_INET6, addr_v6, addr_v6);
+	verify_range("fec1::1-fec1::5", AF_INET6, addr_v6, addr_v6_to);
+	verify_range("fec1::1- fec1::5", AF_INET6, addr_v6, addr_v6_to);
+	verify_range("fec1::1 -fec1::5", AF_INET6, addr_v6, addr_v6_to);
+	verify_range("fec1::1 - fec1::5", AF_INET6, addr_v6, addr_v6_to);
+	verify_range("fec1::5-fec1::1", AF_INET6, addr_v6_to, addr_v6);
+
+	verify_range("fec1::1", 0, chunk_empty, chunk_empty);
+	verify_range("fec1::1-", 0, chunk_empty, chunk_empty);
+	verify_range("-fec1::1", 0, chunk_empty, chunk_empty);
+	verify_range("fec1::1-fec1", 0, chunk_empty, chunk_empty);
+	verify_range("foo::bar", 0, chunk_empty, chunk_empty);
+	verify_range("foo::bar-bar::foo", 0, chunk_empty, chunk_empty);
+
+	verify_range("fec1::1-192.168.0.1", 0, chunk_empty, chunk_empty);
+	verify_range("192.168.0.1-fec1::1", 0, chunk_empty, chunk_empty);
+}
+END_TEST
+
+/*******************************************************************************
  * host_create_netmask
  */
 
@@ -610,6 +736,12 @@ Suite *host_suite_create()
 	tcase_add_test(tc, test_create_from_string_and_family_other);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("host_create_from_dns");
+	tcase_add_test(tc, test_create_from_dns_any);
+	tcase_add_test(tc, test_create_from_dns_v4);
+	tcase_add_test(tc, test_create_from_dns_v6);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("host_create_from_sockaddr");
 	tcase_add_test(tc, test_create_from_sockaddr_v4);
 	tcase_add_test(tc, test_create_from_sockaddr_v6);
@@ -627,6 +759,11 @@ Suite *host_suite_create()
 	tcase_add_test(tc, test_create_from_subnet_v6);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("host_create_from_range");
+	tcase_add_test(tc, test_create_from_range_v4);
+	tcase_add_test(tc, test_create_from_range_v6);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("host_create_netmask");
 	tcase_add_test(tc, test_create_netmask_v4);
 	tcase_add_test(tc, test_create_netmask_v6);
diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
index 5de785710..de00e4afd 100644
--- a/src/libstrongswan/tests/suites/test_identification.c
+++ b/src/libstrongswan/tests/suites/test_identification.c
@@ -122,58 +122,68 @@ static struct {
 		} data;
 	} result;
 } string_data[] = {
-	{NULL,      ID_ANY,  { .type = ENC_CHUNK }},
-	{"",        ID_ANY,  { .type = ENC_CHUNK }},
-	{"%any",    ID_ANY,  { .type = ENC_CHUNK }},
-	{"%any6",   ID_ANY,  { .type = ENC_CHUNK }},
-	{"0.0.0.0", ID_ANY,  { .type = ENC_CHUNK }},
-	{"0::0",    ID_ANY,  { .type = ENC_CHUNK }},
-	{"::",      ID_ANY,  { .type = ENC_CHUNK }},
-	{"*",       ID_ANY,  { .type = ENC_CHUNK }},
-	{"any",     ID_FQDN, { .type = ENC_SIMPLE }},
-	{"any6",    ID_FQDN, { .type = ENC_SIMPLE }},
-	{"0",       ID_FQDN, { .type = ENC_SIMPLE }},
-	{"**",      ID_FQDN, { .type = ENC_SIMPLE }},
-	{"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
-									.data.c = chunk_from_chars(0xc0, 0xa8, 0x01, 0x01) }},
-	{"192.168.",ID_FQDN, { .type = ENC_SIMPLE }},
-	{".",       ID_FQDN, { .type = ENC_SIMPLE }},
-	{"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
-								.data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-														   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01) }},
-	{"fec0::",  ID_IPV6_ADDR, { .type = ENC_CHUNK,
-								.data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-														   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) }},
-	{"fec0:",   ID_KEY_ID,    { .type = ENC_SIMPLE }},
-	{":",       ID_KEY_ID,    { .type = ENC_SIMPLE }},
-	{"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
-	{"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
-	{"alice@",  ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
-	{"alice",   ID_FQDN, { .type = ENC_SIMPLE }},
-	{"@",       ID_FQDN, { .type = ENC_CHUNK }},
-	{" @",      ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
-	{"@strongswan.org",  ID_FQDN, { .type = ENC_STRING,
-									.data.s = "strongswan.org" }},
-	{"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
-								.data.c = chunk_from_chars(0xde, 0xad, 0xbe, 0xef) }},
-	{"@#deadbee",  ID_KEY_ID, { .type = ENC_CHUNK,
-								.data.c = chunk_from_chars(0x0d, 0xea, 0xdb, 0xee) }},
-	{"foo=bar",    ID_KEY_ID, { .type = ENC_SIMPLE }},
-	{"foo=",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
-	{"=bar",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
-	{"C=",		   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
-									 .data.c = chunk_from_chars(0x30, 0x0b, 0x31, 0x09, 0x30, 0x07, 0x06,
-																0x03, 0x55, 0x04, 0x06, 0x13, 0x00)}},
-	{"C=CH",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
-									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
-																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
-	{"C=CH,",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
-									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
-																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
-	{"C=CH, ",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
-									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
-																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
-	{"C=CH, O",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
+	{NULL,						ID_ANY,			{ .type = ENC_CHUNK }},
+	{"",						ID_ANY,			{ .type = ENC_CHUNK }},
+	{"%any",					ID_ANY,			{ .type = ENC_CHUNK }},
+	{"%any6",					ID_ANY,			{ .type = ENC_CHUNK }},
+	{"0.0.0.0",					ID_ANY,			{ .type = ENC_CHUNK }},
+	{"0::0",					ID_ANY,			{ .type = ENC_CHUNK }},
+	{"::",						ID_ANY,			{ .type = ENC_CHUNK }},
+	{"*",						ID_ANY,			{ .type = ENC_CHUNK }},
+	{"any",						ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"any6",					ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"0",						ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"**",						ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"192.168.1.1",				ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
+	{"192.168.",				ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{".",						ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"fec0::1",					ID_IPV6_ADDR,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
+	{"fec0::",					ID_IPV6_ADDR,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
+	{"fec0:",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{":",						ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"alice@strongswan.org",	ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
+	{"alice@strongswan",		ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
+	{"alice@",					ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
+	{"alice",					ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"@",						ID_FQDN,		{ .type = ENC_CHUNK }},
+	{" @",						ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
+	{"@strongswan.org",			ID_FQDN,		{ .type = ENC_STRING,
+		.data.s = "strongswan.org" }},
+	{"@#deadbeef",				ID_KEY_ID,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }},
+	{"@#deadbee",				ID_KEY_ID,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }},
+	{"foo=bar",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"foo=",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"=bar",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"C=",						ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06,
+								   0x03,0x55,0x04,0x06,0x13,0x00) }},
+	{"C=CH",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
+								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
+	{"C=CH,",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
+								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
+	{"C=CH, ",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
+								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
+	{"C=CH, O",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"IPv4:#c0a80101",			ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
+	{ "email:tester",			ID_RFC822_ADDR,	{ .type = ENC_STRING,
+		.data.s = "tester" }},
+	{ "{1}:#c0a80101",			ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
+	{ "{0x02}:tester",			ID_FQDN,		{ .type = ENC_STRING,
+		.data.s = "tester" }},
+	{ "{99}:somedata",			99,				{ .type = ENC_STRING,
+		.data.s = "somedata" }},
 };
 
 START_TEST(test_from_string)
diff --git a/src/libstrongswan/tests/suites/test_mgf1.c b/src/libstrongswan/tests/suites/test_mgf1.c
new file mode 100644
index 000000000..9388b95d4
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_mgf1.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/test_rng.h>
+#include <utils/test.h>
+#include <crypto/mgf1/mgf1.h>
+#include <crypto/mgf1/mgf1_bitspender.h>
+
+typedef struct {
+	hash_algorithm_t alg;
+	size_t hash_size;
+	size_t ml1, ml2, ml3, seed_len;
+	chunk_t seed;
+	chunk_t hashed_seed;
+	chunk_t mask;
+	uint32_t bits[22];
+} mgf1_test_t;
+
+/**
+ * MGF1 Mask Generation Function Test Vectors
+ */
+mgf1_test_t mgf1_tests[] = {
+	{	HASH_SHA1, 20, 60, 20, 15, 24,
+		chunk_from_chars(
+						0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
+						0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
+						0x8C, 0x9B, 0xD5, 0x63, 0x57, 0x38, 0x11, 0xC2,
+						0xB5, 0xCA, 0xBF, 0x06, 0x43, 0x45, 0x19, 0xD5,
+						0xE7, 0x36, 0xD0, 0x29, 0x21, 0xDA, 0x02, 0x20,
+						0x45, 0xF6, 0x5F, 0x0F, 0x10, 0x04, 0x2A, 0xE3,
+						0x6A, 0x1D, 0xD5, 0x9F, 0x1D, 0x66, 0x44, 0x8F,
+						0xFA, 0xC6, 0xCA, 0xA4, 0x6E, 0x3B, 0x00, 0x66,
+						0xA6, 0xC9, 0x80, 0x5C, 0xF5, 0x2D, 0xD7, 0x72,
+						0xC6, 0xD4, 0x4F, 0x30, 0x72, 0xA2, 0xAD, 0xE0,
+						0x33, 0xE8, 0x55, 0xD5, 0xE6, 0xD6, 0x00, 0x1D,
+						0xA8, 0x68, 0xFF, 0x97, 0x36, 0x8A, 0xF4, 0xD6,
+						0xF1, 0xB6, 0x7E, 0x1F, 0x06, 0xCB, 0x57, 0xCB,
+						0x35, 0x38, 0xF2, 0x2D, 0xF6, 0x20),
+		chunk_from_chars(
+						0xF3, 0x9B, 0x0B, 0xB4, 0x97, 0x50, 0xB5, 0xA7,
+						0xE6, 0xBD, 0xDA, 0xD0, 0x9A, 0x52, 0xBE, 0xA0,
+						0x21, 0xC4, 0x90, 0xB6),
+		chunk_from_chars(
+						0x10, 0x43, 0x76, 0x72, 0x6C, 0xDE, 0xA0, 0x0E,
+						0x77, 0x51, 0xFB, 0x58, 0x39, 0x8A, 0x36, 0xE1,
+						0x63, 0x2B, 0xC9, 0x17, 0x56, 0x0C, 0x4B, 0x46,
+						0xA4, 0x07, 0xA4, 0x3B, 0x8E, 0x33, 0x4D, 0xD1,
+						0x65, 0xF1, 0xAC, 0xC8, 0x59, 0x21, 0x32, 0x16,
+						0x44, 0x2B, 0x7F, 0xB2, 0xA8, 0xA7, 0x26, 0x5D,
+						0xE8, 0x02, 0xBE, 0x8E, 0xDC, 0x34, 0xEB, 0x10,
+						0x76, 0x16, 0x8C, 0xDD, 0x90, 0x92, 0x3D, 0x29,
+						0x90, 0x98, 0x46, 0x11, 0x73, 0x53, 0x47, 0xB1,
+						0x2C, 0xD4, 0x83, 0x78, 0x9B, 0x93, 0x2F, 0x5B,
+						0xFC, 0x26, 0xFF, 0x42, 0x08, 0x1F, 0x70, 0x66,
+						0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D,
+						0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C,
+						0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92,
+						0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14),
+		{ 0, 0, 0, 4, 1, 1, 46, 103, 38, 411, 848, 57, 3540, 4058, 12403,
+		  0x63, 0x2B, 0xC9, 0x17, 0x56, 669409, 0xA407A43B },
+	},
+	{	HASH_SHA256, 32, 64, 32, 33, 40,
+		chunk_from_chars(
+						0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
+						0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
+						0xC5, 0x9D, 0xDE, 0xF6, 0xFC, 0xFA, 0x93, 0xCE,
+						0x32, 0x52, 0x66, 0xF9, 0xC9, 0x97, 0xF6, 0x42,
+						0x00, 0x2C, 0x64, 0xED, 0x1A, 0x6B, 0x14, 0x0A,
+						0x4B, 0x04, 0xCF, 0x6D, 0x2D, 0x82, 0x0A, 0x07,
+						0xA2, 0x3B, 0xDE, 0xCE, 0x19, 0x8A, 0x39, 0x43,
+						0x16, 0x61, 0x29, 0x98, 0x68, 0xEA, 0xE5, 0xCC,
+						0x0A, 0xF8, 0xE9, 0x71, 0x26, 0xF1, 0x07, 0x36,
+						0x2C, 0x07, 0x1E, 0xEB, 0xE4, 0x28, 0xA2, 0xF4,
+						0xA8, 0x12, 0xC0, 0xC8, 0x20, 0x37, 0xF8, 0xF2,
+						0x6C, 0xAF, 0xDC, 0x6F, 0x2E, 0xD0, 0x62, 0x58,
+						0xD2, 0x37, 0x03, 0x6D, 0xFA, 0x6E, 0x1A, 0xAC,
+						0x9F, 0xCA, 0x56, 0xC6, 0xA4, 0x52, 0x41, 0xE8,
+						0x0F, 0x1B, 0x0C, 0xB9, 0xE6, 0xBA, 0xDE, 0xE1,
+						0x03, 0x5E, 0xC2, 0xE5, 0xF8, 0xF4, 0xF3, 0x46,
+						0x3A, 0x12, 0xC0, 0x1F, 0x3A, 0x00, 0xD0, 0x91,
+						0x18, 0xDD, 0x53, 0xE4, 0x22, 0xF5, 0x26, 0xA4,
+						0x54, 0xEE, 0x20, 0xF0, 0x80),
+		chunk_from_chars(
+						0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D,
+						0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB,
+						0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C,
+						0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28),
+		chunk_from_chars(
+						0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A,
+						0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46,
+						0xCB, 0x35, 0x3C, 0xDC, 0xAD, 0x20, 0xD9, 0x3F,
+						0x0D, 0xD1, 0xAA, 0x64, 0x66, 0x5C, 0xFA, 0x4A,
+						0xFE, 0xD6, 0x8F, 0x55, 0x57, 0x15, 0xB2, 0xA6,
+						0xA0, 0xE6, 0xA8, 0xC6, 0xBD, 0x28, 0xB4, 0xD5,
+						0x6E, 0x5B, 0x4B, 0xB0, 0x97, 0x09, 0xF5, 0xAC,
+						0x57, 0x65, 0x13, 0x97, 0x71, 0x2C, 0x45, 0x13,
+						0x3D, 0xEE, 0xFB, 0xBF, 0xFE, 0xAF, 0xBB, 0x4B,
+						0x0D, 0x5C, 0x45, 0xD4, 0x2F, 0x17, 0x92, 0x07,
+						0x66, 0x11, 0xF5, 0x46, 0xF8, 0x0C, 0x03, 0x92,
+						0xF5, 0xF5, 0xFF, 0xA4, 0xF3, 0x52, 0xF4, 0x08,
+						0x2C, 0x49, 0x32, 0x1A, 0x93, 0x51, 0x98, 0xB6,
+						0x94, 0x83, 0x39, 0xCF, 0x6B, 0x1F, 0x2F, 0xFC,
+						0x2B, 0xFF, 0x10, 0x71, 0x7D, 0x35, 0x6C, 0xEA,
+						0xC5, 0x66, 0xC7, 0x26, 0x7D, 0x9E, 0xAC, 0xDD,
+						0x35, 0xD7, 0x06, 0x3F, 0x40, 0x82, 0xDA, 0xC3,
+						0x2B, 0x3C, 0x91, 0x3A, 0x32, 0xF8, 0xB2, 0xC6,
+						0x44, 0x4D, 0xCD, 0xB6, 0x54, 0x5F, 0x81, 0x95,
+						0x59, 0xA1, 0xE5, 0x4E, 0xA5, 0x0A, 0x4A, 0x42),
+		 { 0, 1, 3, 4, 4, 12, 32, 36, 253, 331, 2, 1640, 503, 6924, 580,
+		   0xCB, 0x35, 0x3C, 0xDC, 0xAD, 922950, 0x0DD1AA64 }
+	}
+};
+
+START_TEST(mgf1_test_mgf1)
+{
+	mgf1_t *mgf1;
+	chunk_t mask, mask1, mask2, mask3;
+
+	mask1 = mgf1_tests[_i].mask;
+	mask2 = chunk_skip(mask1, mgf1_tests[_i].ml1);
+	mask3 = chunk_skip(mask2, mgf1_tests[_i].ml2);
+	mask1.len = mgf1_tests[_i].ml1;
+	mask2.len = mgf1_tests[_i].ml2;
+	mask3.len = mgf1_tests[_i].ml3;
+
+	mgf1 = mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1 == NULL);
+
+	mgf1 = mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE);
+	ck_assert(mgf1 == NULL);
+
+	/* return mask in allocated chunk */
+	mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1);
+
+	/* check hash size */
+	ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size);
+
+	/* get zero number of octets */
+	ck_assert(mgf1->allocate_mask(mgf1, 0, &mask));
+	ck_assert(mask.len == 0 && mask.ptr == NULL);
+
+	/* get non-zero number of octets */
+	ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask));
+	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
+	mgf1->destroy(mgf1);
+
+	/* copy mask to pre-allocated buffer */
+	mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+	ck_assert(mgf1);
+	ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
+	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
+	mgf1->destroy(mgf1);
+
+	/* get mask in batches without hashing the seed */
+	mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE);
+	ck_assert(mgf1);
+
+	/* first batch */
+	ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr));
+	mask.len = mask1.len;
+	ck_assert(chunk_equals(mask, mask1));
+
+	/* second batch */
+	ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr));
+	mask.len = mask2.len;
+	ck_assert(chunk_equals(mask, mask2));
+
+	/* third batch */
+	ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr));
+	mask.len = mask3.len;
+	ck_assert(chunk_equals(mask, mask3));
+
+	mgf1->destroy(mgf1);
+	chunk_free(&mask);
+}
+END_TEST
+
+START_TEST(mgf1_test_bitspender)
+{
+	mgf1_bitspender_t *bitspender;
+	uint32_t bits;
+	uint8_t byte;
+	int j;
+
+	bitspender = mgf1_bitspender_create(HASH_UNKNOWN,
+										mgf1_tests[_i].hashed_seed, FALSE);
+	ck_assert(bitspender == NULL);
+
+	bitspender = mgf1_bitspender_create(mgf1_tests[_i].alg,
+										mgf1_tests[_i].hashed_seed, FALSE);
+	ck_assert(bitspender);
+
+	for (j = 0; j < 15; j++)
+	{
+		ck_assert(bitspender->get_bits(bitspender, j, &bits));
+		DBG1(DBG_LIB, "bits[%d] = %u, bits = %u", j, mgf1_tests[_i].bits[j],
+					   bits);
+		ck_assert(bits == mgf1_tests[_i].bits[j]);
+	}
+	ck_assert(!bitspender->get_bits(bitspender, 33, &bits));
+
+	for (j = 15; j < 20; j++)
+	{
+		ck_assert(bitspender->get_byte(bitspender, &byte));
+		DBG1(DBG_LIB, "bits[%d] = 0x%02x, byte = 0x%02x", j,
+				   mgf1_tests[_i].bits[j], byte);
+		ck_assert(byte == mgf1_tests[_i].bits[j]);
+	}
+
+	j = 20; /* 23 remaining bits */
+	ck_assert(bitspender->get_bits(bitspender, 23, &bits));
+	DBG1(DBG_LIB, "bits[%d] = %u, bits = %u", j,
+				   mgf1_tests[_i].bits[j], bits);
+	ck_assert(bits == mgf1_tests[_i].bits[j]);
+
+	j = 21; /* 32 aligned bits */
+	ck_assert(bitspender->get_bits(bitspender, 32, &bits));
+	DBG1(DBG_LIB, "bits[%d] = 0x%08x, bits = 0x%08x", j,
+				   mgf1_tests[_i].bits[j], bits);
+	ck_assert(bits == mgf1_tests[_i].bits[j]);
+
+	bitspender->destroy(bitspender);
+}
+END_TEST
+
+
+Suite *mgf1_suite_create(char *name, int n)
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create(name);
+
+	tc = tcase_create("mgf1");
+	tcase_add_loop_test(tc, mgf1_test_mgf1, n, n + 1);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("bitspender");
+	tcase_add_loop_test(tc, mgf1_test_bitspender, n, n + 1);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
+
+Suite *mgf1_sha1_suite_create()
+{
+	return mgf1_suite_create("mgf1-sha1", 0);
+}
+
+Suite *mgf1_sha256_suite_create()
+{
+	return mgf1_suite_create("mgf1-sha256", 1);
+}
diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c
index 7c0cb81bf..d209fa2bc 100644
--- a/src/libstrongswan/tests/suites/test_ntru.c
+++ b/src/libstrongswan/tests/suites/test_ntru.c
@@ -16,20 +16,17 @@
 #include "test_suite.h"
 
 #include <tests/utils/test_rng.h>
+#include <utils/test.h>
+#include <crypto/mgf1/mgf1.h>
 #include <plugins/ntru/ntru_drbg.h>
-#include <plugins/ntru/ntru_mgf1.h>
 #include <plugins/ntru/ntru_trits.h>
 #include <plugins/ntru/ntru_poly.h>
 #include <plugins/ntru/ntru_param_set.h>
 #include <plugins/ntru/ntru_private_key.h>
-#include <utils/test.h>
 
 IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
 						  u_int32_t strength, chunk_t pers_str, rng_t *entropy)
 
-IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create, ntru_mgf1_t*,
-						  hash_algorithm_t alg, chunk_t seed, bool hash_seed)
-
 IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create, ntru_trits_t*,
 						  size_t len, hash_algorithm_t alg, chunk_t seed)
 
@@ -334,13 +331,11 @@ typedef struct {
 typedef struct {
 	hash_algorithm_t alg;
 	size_t hash_size;
-	size_t ml1, ml2, ml3, seed_len;
+	size_t seed_len;
 	chunk_t seed;
-	chunk_t hashed_seed;
-	chunk_t mask;
 	chunk_t trits;
 	poly_test_t poly_test[2];
-} mgf1_test_t;
+} trits_test_t;
 
 uint16_t indices_ees439ep1[] = {
 	367, 413,  16, 214, 114, 128,  42, 268, 346, 329, 119, 303, 208, 287, 150,
@@ -386,10 +381,10 @@ uint16_t indices_ees1171ep1[] = {
 };
 
 /**
- * MGF1 Mask Generation Function Test Vectors
+ * Trits and Polynomial Test Vectors
  */
-mgf1_test_t mgf1_tests[] = {
-	{	HASH_SHA1, 20, 60, 20, 15, 24,
+static trits_test_t trits_tests[] = {
+	{	HASH_SHA1, 20, 24,
 		chunk_from_chars(
 						0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
 						0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
@@ -406,26 +401,6 @@ mgf1_test_t mgf1_tests[] = {
 						0xF1, 0xB6, 0x7E, 0x1F, 0x06, 0xCB, 0x57, 0xCB,
 						0x35, 0x38, 0xF2, 0x2D, 0xF6, 0x20),
 		chunk_from_chars(
-						0xF3, 0x9B, 0x0B, 0xB4, 0x97, 0x50, 0xB5, 0xA7,
-						0xE6, 0xBD, 0xDA, 0xD0, 0x9A, 0x52, 0xBE, 0xA0,
-						0x21, 0xC4, 0x90, 0xB6),
-		chunk_from_chars(
-						0x10, 0x43, 0x76, 0x72, 0x6C, 0xDE, 0xA0, 0x0E,
-						0x77, 0x51, 0xFB, 0x58, 0x39, 0x8A, 0x36, 0xE1,
-						0x63, 0x2B, 0xC9, 0x17, 0x56, 0x0C, 0x4B, 0x46,
-						0xA4, 0x07, 0xA4, 0x3B, 0x8E, 0x33, 0x4D, 0xD1,
-						0x65, 0xF1, 0xAC, 0xC8, 0x59, 0x21, 0x32, 0x16,
-						0x44, 0x2B, 0x7F, 0xB2, 0xA8, 0xA7, 0x26, 0x5D,
-						0xE8, 0x02, 0xBE, 0x8E, 0xDC, 0x34, 0xEB, 0x10,
-						0x76, 0x16, 0x8C, 0xDD, 0x90, 0x92, 0x3D, 0x29,
-						0x90, 0x98, 0x46, 0x11, 0x73, 0x53, 0x47, 0xB1,
-						0x2C, 0xD4, 0x83, 0x78, 0x9B, 0x93, 0x2F, 0x5B,
-						0xFC, 0x26, 0xFF, 0x42, 0x08, 0x1F, 0x70, 0x66,
-						0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D,
-						0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C,
-						0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92,
-						0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14),
-		chunk_from_chars(
 				1, 2, 1, 0, 0,  1, 1, 1, 2, 0,  1, 0, 1, 1, 1,  0, 2, 0, 1, 1,
 				0, 0, 0, 1, 1,  0, 2, 0, 2, 2,	1, 2, 2, 2, 1,  2, 1, 1, 0, 0,
 				2, 0, 1, 1, 1,	0, 0, 0, 0, 1,  1, 2, 0, 0, 1,  0, 1, 0, 2, 0,
@@ -457,7 +432,7 @@ mgf1_test_t mgf1_tests[] = {
 			}
 		}
 	},
-	{	HASH_SHA256, 32, 64, 32, 33, 40,
+	{	HASH_SHA256, 32, 40,
 		chunk_from_chars(
 						0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
 						0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
@@ -479,32 +454,6 @@ mgf1_test_t mgf1_tests[] = {
 						0x18, 0xDD, 0x53, 0xE4, 0x22, 0xF5, 0x26, 0xA4,
 						0x54, 0xEE, 0x20, 0xF0, 0x80),
 		chunk_from_chars(
-						0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D,
-						0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB,
-						0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C,
-						0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28),
-		chunk_from_chars(
-						0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A,
-						0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46,
-						0xCB, 0x35, 0x3C, 0xDC, 0xAD, 0x20, 0xD9, 0x3F,
-						0x0D, 0xD1, 0xAA, 0x64, 0x66, 0x5C, 0xFA, 0x4A,
-						0xFE, 0xD6, 0x8F, 0x55, 0x57, 0x15, 0xB2, 0xA6,
-						0xA0, 0xE6, 0xA8, 0xC6, 0xBD, 0x28, 0xB4, 0xD5,
-						0x6E, 0x5B, 0x4B, 0xB0, 0x97, 0x09, 0xF5, 0xAC,
-						0x57, 0x65, 0x13, 0x97, 0x71, 0x2C, 0x45, 0x13,
-						0x3D, 0xEE, 0xFB, 0xBF, 0xFE, 0xAF, 0xBB, 0x4B,
-						0x0D, 0x5C, 0x45, 0xD4, 0x2F, 0x17, 0x92, 0x07,
-						0x66, 0x11, 0xF5, 0x46, 0xF8, 0x0C, 0x03, 0x92,
-						0xF5, 0xF5, 0xFF, 0xA4, 0xF3, 0x52, 0xF4, 0x08,
-						0x2C, 0x49, 0x32, 0x1A, 0x93, 0x51, 0x98, 0xB6,
-						0x94, 0x83, 0x39, 0xCF, 0x6B, 0x1F, 0x2F, 0xFC,
-						0x2B, 0xFF, 0x10, 0x71, 0x7D, 0x35, 0x6C, 0xEA,
-						0xC5, 0x66, 0xC7, 0x26, 0x7D, 0x9E, 0xAC, 0xDD,
-						0x35, 0xD7, 0x06, 0x3F, 0x40, 0x82, 0xDA, 0xC3,
-						0x2B, 0x3C, 0x91, 0x3A, 0x32, 0xF8, 0xB2, 0xC6,
-						0x44, 0x4D, 0xCD, 0xB6, 0x54, 0x5F, 0x81, 0x95,
-						0x59, 0xA1, 0xE5, 0x4E, 0xA5, 0x0A, 0x4A, 0x42),
-		chunk_from_chars(
 				1, 2, 2, 2, 2,  1, 2, 2, 0, 0,  2, 0, 0, 0, 0,  1, 2, 2, 2, 0,
 				2, 0, 0, 2, 2,  1, 2, 0, 0, 1,  2, 1, 0, 0, 0,  1, 0, 2, 2, 1,
 				1, 2, 0, 0, 0,  1, 2, 0, 2, 2,  1, 2, 1, 0, 1,  0, 1, 2, 1, 1,
@@ -546,104 +495,34 @@ mgf1_test_t mgf1_tests[] = {
 	}
 };
 
-START_TEST(test_ntru_mgf1)
-{
-	ntru_mgf1_t *mgf1;
-	chunk_t mask, mask1, mask2, mask3;
-
-	mask1 = mgf1_tests[_i].mask;
-	mask2 = chunk_skip(mask1, mgf1_tests[_i].ml1);
-	mask3 = chunk_skip(mask2, mgf1_tests[_i].ml2);
-	mask1.len = mgf1_tests[_i].ml1;
-	mask2.len = mgf1_tests[_i].ml2;
-	mask3.len = mgf1_tests[_i].ml3;
-
-	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, HASH_UNKNOWN,
-						 mgf1_tests[_i].seed, TRUE);
-	ck_assert(mgf1 == NULL);
-
-	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
-						 chunk_empty, TRUE);
-	ck_assert(mgf1 == NULL);
-
-	/* return mask in allocated chunk */
-	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
-						 mgf1_tests[_i].seed, TRUE);
-	ck_assert(mgf1);
-
-	/* check hash size */
-	ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size);
-
-	/* get zero number of octets */
-	ck_assert(mgf1->allocate_mask(mgf1, 0, &mask));
-	ck_assert(mask.len == 0 && mask.ptr == NULL);
-
-	/* get non-zero number of octets */
-	ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask));
-	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
-	mgf1->destroy(mgf1);
-
-	/* copy mask to pre-allocated buffer */
-	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
-						 mgf1_tests[_i].seed, TRUE);
-	ck_assert(mgf1);
-	ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
-	ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
-	mgf1->destroy(mgf1);
-
-	/* get mask in batches without hashing the seed */
-	mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
-						 mgf1_tests[_i].hashed_seed, FALSE);
-	ck_assert(mgf1);
-
-	/* first batch */
-	ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr));
-	mask.len = mask1.len;
-	ck_assert(chunk_equals(mask, mask1));
-
-	/* second batch */
-	ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr));
-	mask.len = mask2.len;
-	ck_assert(chunk_equals(mask, mask2));
-
-	/* third batch */
-	ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr));
-	mask.len = mask3.len;
-	ck_assert(chunk_equals(mask, mask3));
-
-	mgf1->destroy(mgf1);
-	chunk_free(&mask);
-}
-END_TEST
-
 START_TEST(test_ntru_trits)
 {
 	ntru_trits_t *mask;
 	chunk_t trits;
 
-	mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
-						 HASH_UNKNOWN, mgf1_tests[_i].seed);
+	mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
+						 HASH_UNKNOWN, trits_tests[_i].seed);
 	ck_assert(mask == NULL);
 
-	mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
-						 mgf1_tests[_i].alg, chunk_empty);
+	mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
+						 trits_tests[_i].alg, chunk_empty);
 	ck_assert(mask == NULL);
 
-	mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
-						 mgf1_tests[_i].alg, mgf1_tests[_i].seed);
+	mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
+						 trits_tests[_i].alg, trits_tests[_i].seed);
 	ck_assert(mask);
 
 	trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
-	ck_assert(chunk_equals(trits, mgf1_tests[_i].trits));
+	ck_assert(chunk_equals(trits, trits_tests[_i].trits));
 	mask->destroy(mask);
 
 	/* generate a multiple of 5 trits */
-	mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, mgf1_tests[_i].alg,
-						 mgf1_tests[_i].seed);
+	mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, trits_tests[_i].alg,
+						 trits_tests[_i].seed);
 	ck_assert(mask);
 
 	trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
-	ck_assert(chunk_equals(trits, chunk_create(mgf1_tests[_i].trits.ptr, 10)));
+	ck_assert(chunk_equals(trits, chunk_create(trits_tests[_i].trits.ptr, 10)));
 	mask->destroy(mask);
 }
 END_TEST
@@ -656,10 +535,10 @@ START_TEST(test_ntru_poly)
 	poly_test_t *p;
 	int j, n;
 
-	seed = mgf1_tests[_i].seed;
-	seed.len = mgf1_tests[_i].seed_len;
+	seed = trits_tests[_i].seed;
+	seed.len = trits_tests[_i].seed_len;
 
-	p = &mgf1_tests[_i].poly_test[0];
+	p = &trits_tests[_i].poly_test[0];
 	poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, HASH_UNKNOWN, seed,
 						 p->c_bits, p->N, p->q, p->indices_len, p->indices_len,
 						 p->is_product_form);
@@ -667,9 +546,9 @@ START_TEST(test_ntru_poly)
 
 	for (n = 0; n < 2; n++)
 	{
-		p = &mgf1_tests[_i].poly_test[n];
+		p = &trits_tests[_i].poly_test[n];
 		poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed,
-							mgf1_tests[_i].alg, seed, p->c_bits, p->N, p->q,
+							trits_tests[_i].alg, seed, p->c_bits, p->N, p->q,
 							p->indices_len, p->indices_len, p->is_product_form);
 		ck_assert(poly != NULL && poly->get_size(poly) == p->indices_size);
 
@@ -1182,7 +1061,6 @@ START_TEST(test_ntru_ke)
 	diffie_hellman_t *i_ntru, *r_ntru;
 	char buf[10];
 	int k, n, len;
-	status_t status;
 
 	k = (_i) / countof(parameter_sets);
 	n = (_i) % countof(parameter_sets);
@@ -1199,23 +1077,21 @@ START_TEST(test_ntru_ke)
 	ck_assert(i_ntru != NULL);
 	ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group);
 
-	i_ntru->get_my_public_value(i_ntru, &pub_key);
+	ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key));
 	ck_assert(pub_key.len > 0);
 
 	r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
 	ck_assert(r_ntru != NULL);
 
-	r_ntru->set_other_public_value(r_ntru, pub_key);
-	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	ck_assert(r_ntru->set_other_public_value(r_ntru, pub_key));
+	ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text));
 	ck_assert(cipher_text.len > 0);
 
-	status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
-	ck_assert(status == SUCCESS);
+	ck_assert(r_ntru->get_shared_secret(r_ntru, &r_shared_secret));
 	ck_assert(r_shared_secret.len > 0);
 
-	i_ntru->set_other_public_value(i_ntru, cipher_text);
-	status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
-	ck_assert(status == SUCCESS);
+	ck_assert(i_ntru->set_other_public_value(i_ntru, cipher_text));
+	ck_assert(i_ntru->get_shared_secret(i_ntru, &i_shared_secret));
 	ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
 
 	chunk_clear(&i_shared_secret);
@@ -1233,8 +1109,8 @@ START_TEST(test_ntru_retransmission)
 	chunk_t pub_key1, pub_key2;
 
 	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_256_BIT);
-	i_ntru->get_my_public_value(i_ntru, &pub_key1);
-	i_ntru->get_my_public_value(i_ntru, &pub_key2);
+	ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key1));
+	ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key2));
 	ck_assert(chunk_equals(pub_key1, pub_key2));
 
 	chunk_free(&pub_key1);
@@ -1260,8 +1136,8 @@ START_TEST(test_ntru_pubkey_oid)
 	chunk_t cipher_text;
 
 	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
-	r_ntru->set_other_public_value(r_ntru, oid_tests[_i]);
-	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	ck_assert(!r_ntru->set_other_public_value(r_ntru, oid_tests[_i]));
+	ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text));
 	ck_assert(cipher_text.len == 0);
 	r_ntru->destroy(r_ntru);
 }
@@ -1276,14 +1152,14 @@ START_TEST(test_ntru_wrong_set)
 						  "libstrongswan.plugins.ntru.parameter_set",
 			 			  "x9_98_bandwidth");
 	i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
-	i_ntru->get_my_public_value(i_ntru, &pub_key);
+	ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key));
 
 	lib->settings->set_str(lib->settings,
 						  "libstrongswan.plugins.ntru.parameter_set",
 						  "optimum");
 	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
-	r_ntru->set_other_public_value(r_ntru, pub_key);
-	r_ntru->get_my_public_value(r_ntru, &cipher_text);
+	ck_assert(!r_ntru->set_other_public_value(r_ntru, pub_key));
+	ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text));
 	ck_assert(cipher_text.len == 0);
 
 	chunk_free(&pub_key);
@@ -1314,9 +1190,9 @@ START_TEST(test_ntru_ciphertext)
 	for (i = 0; i < countof(test); i++)
 	{
 		i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
-		i_ntru->get_my_public_value(i_ntru, &pub_key);
-		i_ntru->set_other_public_value(i_ntru, test[i]);
-		ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS);
+		ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key));
+		ck_assert(!i_ntru->set_other_public_value(i_ntru, test[i]));
+		ck_assert(!i_ntru->get_shared_secret(i_ntru, &shared_secret));
 		ck_assert(shared_secret.len == 0);
 
 		chunk_free(&pub_key);
@@ -1334,12 +1210,12 @@ START_TEST(test_ntru_wrong_ciphertext)
 	r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
 	m_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
 
-	i_ntru->get_my_public_value(i_ntru, &pub_key_i);
-	m_ntru->get_my_public_value(m_ntru, &pub_key_m);
-	r_ntru->set_other_public_value(r_ntru, pub_key_m);
-	r_ntru->get_my_public_value(r_ntru, &cipher_text);
-	i_ntru->set_other_public_value(i_ntru, cipher_text);
-	ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS);
+	ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key_i));
+	ck_assert(m_ntru->get_my_public_value(m_ntru, &pub_key_m));
+	ck_assert(r_ntru->set_other_public_value(r_ntru, pub_key_m));
+	ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text));
+	ck_assert(!i_ntru->set_other_public_value(i_ntru, cipher_text));
+	ck_assert(!i_ntru->get_shared_secret(i_ntru, &shared_secret));
 	ck_assert(shared_secret.len == 0);
 
 	chunk_free(&pub_key_i);
@@ -1370,16 +1246,12 @@ Suite *ntru_suite_create()
 	tcase_add_test(tc, test_ntru_drbg_reseed);
 	suite_add_tcase(s, tc);
 
-	tc = tcase_create("mgf1");
-	tcase_add_loop_test(tc, test_ntru_mgf1, 0, countof(mgf1_tests));
-	suite_add_tcase(s, tc);
-
 	tc = tcase_create("trits");
-	tcase_add_loop_test(tc, test_ntru_trits, 0, countof(mgf1_tests));
+	tcase_add_loop_test(tc, test_ntru_trits, 0, countof(trits_tests));
 	suite_add_tcase(s, tc);
 
 	tc = tcase_create("poly");
-	tcase_add_loop_test(tc, test_ntru_poly, 0, countof(mgf1_tests));
+	tcase_add_loop_test(tc, test_ntru_poly, 0, countof(trits_tests));
 	suite_add_tcase(s, tc);
 
 	tc = tcase_create("ring_mult");
diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c
index b9d429a24..9601a34a9 100644
--- a/src/libstrongswan/tests/suites/test_settings.c
+++ b/src/libstrongswan/tests/suites/test_settings.c
@@ -908,7 +908,7 @@ START_SETUP(setup_string_config)
 		"special = \"all { special } characters # can be used.\"\n"
 		"unterminated = \"is fine\n"
 		"but = produces a warning\n"
-		"newlines = \"can either be encoded\\nor\\\n"
+		"newlines = \"can either be encoded\\nor \\\n"
 		"escaped\"\n"
 		"quotes = \"\\\"and\\\" slashes \\\\ can \\\\ be\" # escaped too\n"
 		"multiple = \"strings\" are \"combined\"\n"
@@ -922,7 +922,7 @@ START_TEST(test_strings)
 	verify_string("all { special } characters # can be used.", "special");
 	verify_string("is fine", "unterminated");
 	verify_string("produces a warning", "but");
-	verify_string("can either be encoded\nor\nescaped", "newlines");
+	verify_string("can either be encoded\nor escaped", "newlines");
 	verify_string("\"and\" slashes \\ can \\ be", "quotes");
 	verify_string("strings are combined", "multiple");
 }
diff --git a/src/libstrongswan/tests/suites/test_threading.c b/src/libstrongswan/tests/suites/test_threading.c
index 47e448484..55a4cd797 100644
--- a/src/libstrongswan/tests/suites/test_threading.c
+++ b/src/libstrongswan/tests/suites/test_threading.c
@@ -553,6 +553,49 @@ START_TEST(test_rwlock)
 }
 END_TEST
 
+static void *rwlock_try_run(void *param)
+{
+	if (rwlock->try_write_lock(rwlock))
+	{
+		rwlock->unlock(rwlock);
+		return param;
+	}
+	return NULL;
+}
+
+START_TEST(test_rwlock_try)
+{
+	uintptr_t magic = 0xcafebabe;
+	thread_t *thread;
+
+	rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	thread = thread_create(rwlock_try_run, (void*)magic);
+	ck_assert_int_eq((uintptr_t)thread->join(thread), magic);
+
+	rwlock->read_lock(rwlock);
+	thread = thread_create(rwlock_try_run, (void*)magic);
+	ck_assert(thread->join(thread) == NULL);
+	rwlock->unlock(rwlock);
+
+	rwlock->read_lock(rwlock);
+	rwlock->read_lock(rwlock);
+	rwlock->read_lock(rwlock);
+	thread = thread_create(rwlock_try_run, (void*)magic);
+	ck_assert(thread->join(thread) == NULL);
+	rwlock->unlock(rwlock);
+	rwlock->unlock(rwlock);
+	rwlock->unlock(rwlock);
+
+	rwlock->write_lock(rwlock);
+	thread = thread_create(rwlock_try_run, (void*)magic);
+	ck_assert(thread->join(thread) == NULL);
+	rwlock->unlock(rwlock);
+
+	rwlock->destroy(rwlock);
+}
+END_TEST
+
 /**
  * Rwlock condvar
  */
@@ -1132,6 +1175,191 @@ START_TEST(test_cancel_point)
 }
 END_TEST
 
+static void close_fd_ptr(void *fd)
+{
+	close(*(int*)fd);
+}
+
+static void cancellation_recv()
+{
+	int sv[2];
+	char buf[1];
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
+
+	thread_cleanup_push(close_fd_ptr, &sv[0]);
+	thread_cleanup_push(close_fd_ptr, &sv[1]);
+
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		ck_assert(recv(sv[0], buf, sizeof(buf), 0) == 1);
+	}
+}
+
+static void cancellation_read()
+{
+	int sv[2];
+	char buf[1];
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
+
+	thread_cleanup_push(close_fd_ptr, &sv[0]);
+	thread_cleanup_push(close_fd_ptr, &sv[1]);
+
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		ck_assert(read(sv[0], buf, sizeof(buf)) == 1);
+	}
+}
+
+static void cancellation_select()
+{
+	int sv[2];
+	fd_set set;
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
+
+	thread_cleanup_push(close_fd_ptr, &sv[0]);
+	thread_cleanup_push(close_fd_ptr, &sv[1]);
+
+	FD_ZERO(&set);
+	FD_SET(sv[0], &set);
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		ck_assert(select(sv[0] + 1, &set, NULL, NULL, NULL) == 1);
+	}
+}
+
+static void cancellation_poll()
+{
+	int sv[2];
+	struct pollfd pfd;
+
+	ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
+
+	thread_cleanup_push(close_fd_ptr, &sv[0]);
+	thread_cleanup_push(close_fd_ptr, &sv[1]);
+
+	pfd.fd = sv[0];
+	pfd.events = POLLIN;
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		ck_assert(poll(&pfd, 1, -1) == 1);
+	}
+}
+
+static void cancellation_accept()
+{
+	host_t *host;
+	int fd, c;
+
+	fd = socket(AF_INET, SOCK_STREAM, 0);
+	ck_assert(fd >= 0);
+	host = host_create_from_string("127.0.0.1", 0);
+	ck_assert_msg(bind(fd, host->get_sockaddr(host),
+					   *host->get_sockaddr_len(host)) == 0, "%m");
+	host->destroy(host);
+	ck_assert(listen(fd, 5) == 0);
+
+	thread_cleanup_push(close_fd_ptr, &fd);
+
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		c = accept(fd, NULL, NULL);
+		ck_assert(c >= 0);
+		close(c);
+	}
+}
+
+static void cancellation_cond()
+{
+	mutex_t *mutex;
+	condvar_t *cond;
+
+	mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	cond = condvar_create(CONDVAR_TYPE_DEFAULT);
+	mutex->lock(mutex);
+
+	thread_cleanup_push((void*)mutex->destroy, mutex);
+	thread_cleanup_push((void*)cond->destroy, cond);
+
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		cond->wait(cond, mutex);
+	}
+}
+
+static void cancellation_rwcond()
+{
+	rwlock_t *lock;
+	rwlock_condvar_t *cond;
+
+	lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	cond = rwlock_condvar_create();
+	lock->write_lock(lock);
+
+	thread_cleanup_push((void*)lock->destroy, lock);
+	thread_cleanup_push((void*)cond->destroy, cond);
+
+	thread_cancelability(TRUE);
+	while (TRUE)
+	{
+		cond->wait(cond, lock);
+	}
+}
+
+static void (*cancellation_points[])() = {
+	cancellation_read,
+	cancellation_recv,
+	cancellation_select,
+	cancellation_poll,
+	cancellation_accept,
+	cancellation_cond,
+	cancellation_rwcond,
+};
+
+static void* run_cancellation_point(void (*fn)())
+{
+	fn();
+	return NULL;
+}
+
+static void* run_cancellation_point_pre(void (*fn)())
+{
+	usleep(5000);
+	fn();
+	return NULL;
+}
+
+START_TEST(test_cancellation_point)
+{
+	thread_t *thread;
+
+	thread = thread_create((void*)run_cancellation_point,
+						   cancellation_points[_i]);
+	usleep(5000);
+	thread->cancel(thread);
+	thread->join(thread);
+}
+END_TEST
+
+START_TEST(test_cancellation_point_pre)
+{
+	thread_t *thread;
+
+	thread = thread_create((void*)run_cancellation_point_pre,
+						   cancellation_points[_i]);
+	thread->cancel(thread);
+	thread->join(thread);
+}
+END_TEST
+
 static void cleanup1(void *data)
 {
 	uintptr_t *value = (uintptr_t*)data;
@@ -1423,6 +1651,7 @@ Suite *threading_suite_create()
 
 	tc = tcase_create("rwlock");
 	tcase_add_test(tc, test_rwlock);
+	tcase_add_test(tc, test_rwlock_try);
 	suite_add_tcase(s, tc);
 
 	tc = tcase_create("rwlock condvar");
@@ -1456,6 +1685,13 @@ Suite *threading_suite_create()
 	tcase_add_test(tc, test_cancel_point);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("thread cancellation point");
+	tcase_add_loop_test(tc, test_cancellation_point,
+						0, countof(cancellation_points));
+	tcase_add_loop_test(tc, test_cancellation_point_pre,
+						0, countof(cancellation_points));
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("thread cleanup");
 	tcase_add_test(tc, test_cleanup);
 	tcase_add_test(tc, test_cleanup_exit);
diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c
new file mode 100644
index 000000000..4312c6ce1
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_traffic_selector.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <selectors/traffic_selector.h>
+
+
+static void verify(const char *str, const char *alt, traffic_selector_t *ts)
+{
+	char buf[512];
+
+	ck_assert(ts != NULL);
+	snprintf(buf, sizeof(buf), "%R", ts);
+	ts->destroy(ts);
+	if (!streq(buf, str) && !streq(buf, alt))
+	{
+		fail("%s != %s or %s", buf, str, alt);
+	}
+}
+
+START_TEST(test_create_from_string)
+{
+	verify("10.1.0.0/16[tcp/http]", "10.1.0.0/16[6/80]",
+		traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE,
+							"10.1.0.0", 80, "10.1.255.255", 80));
+	verify("10.1.0.1..10.1.0.99[udp/1234-1235]",
+		   "10.1.0.1..10.1.0.99[17/1234-1235]",
+		traffic_selector_create_from_string(IPPROTO_UDP, TS_IPV4_ADDR_RANGE,
+							"10.1.0.1", 1234, "10.1.0.99", 1235));
+	verify("fec1::/64", NULL,
+		traffic_selector_create_from_string(0, TS_IPV6_ADDR_RANGE,
+							"fec1::", 0, "fec1::ffff:ffff:ffff:ffff", 65535));
+}
+END_TEST
+
+START_TEST(test_create_from_cidr)
+{
+	verify("10.1.0.0/16", NULL,
+		traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535));
+	verify("10.1.0.1/32[udp/1234-1235]", "10.1.0.1/32[17/1234-1235]",
+		traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP,
+										  1234, 1235));
+}
+END_TEST
+
+START_TEST(test_create_from_bytes)
+{
+	verify("10.1.0.0/16", NULL,
+		traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE,
+			chunk_from_chars(0x0a,0x01,0x00,0x00), 0,
+			chunk_from_chars(0x0a,0x01,0xff,0xff), 65535));
+}
+END_TEST
+
+START_TEST(test_create_from_subnet)
+{
+	verify("10.1.0.0/16", NULL,
+		traffic_selector_create_from_subnet(
+					host_create_from_string("10.1.0.0", 0), 16, 0, 0, 65535));
+}
+END_TEST
+
+
+START_TEST(test_subset)
+{
+	traffic_selector_t *a, *b;
+
+	a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535);
+	b = traffic_selector_create_from_cidr("10.1.5.0/24", 0, 0, 65535);
+	verify("10.1.5.0/24", NULL, a->get_subset(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_port)
+{
+	traffic_selector_t *a, *b;
+
+	a = traffic_selector_create_from_cidr("10.0.0.0/8", IPPROTO_TCP, 55, 60);
+	b = traffic_selector_create_from_cidr("10.2.7.16/30", 0, 0, 65535);
+	verify("10.2.7.16/30[tcp/55-60]", "10.2.7.16/30[6/55-60]",
+		a->get_subset(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_equal)
+{
+	traffic_selector_t *a, *b;
+
+	a = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 80, 80);
+	b = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 80, 80);
+	verify("10.1.0.0/16[tcp/http]", "10.1.0.0/16[6/80]", a->get_subset(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_nonet)
+{
+	traffic_selector_t *a, *b;
+
+	a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535);
+	b = traffic_selector_create_from_cidr("10.2.0.0/16", 0, 0, 65535);
+	ck_assert(a->get_subset(a, b) == NULL);
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_noport)
+{
+	traffic_selector_t *a, *b;
+
+	a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 9999);
+	b = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 10000, 65535);
+	ck_assert(a->get_subset(a, b) == NULL);
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_noproto)
+{
+	traffic_selector_t *a, *b;
+
+	a = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 0, 65535);
+	b = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_UDP, 0, 65535);
+	ck_assert(a->get_subset(a, b) == NULL);
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_nofamily)
+{
+	traffic_selector_t *a, *b;
+
+	a = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
+	b = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
+	ck_assert(a->get_subset(a, b) == NULL);
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+struct {
+	char *net;
+	char *host;
+	bool inc;
+} include_tests[] = {
+	{ "0.0.0.0/0",		"192.168.1.2",			TRUE },
+	{ "::/0",			"fec2::1",				TRUE },
+	{ "fec2::/64",		"fec2::afaf",			TRUE },
+	{ "10.1.0.0/16",	"10.1.0.1",				TRUE },
+	{ "10.5.6.7/32",	"10.5.6.7",				TRUE },
+	{ "0.0.0.0/0",		"fec2::1",				FALSE },
+	{ "::/0",			"1.2.3.4",				FALSE },
+	{ "10.0.0.0/16",	"10.1.0.0",				FALSE },
+	{ "fec2::/64",		"fec2:0:0:1::afaf",		FALSE },
+};
+
+START_TEST(test_includes)
+{
+	traffic_selector_t *ts;
+	host_t *h;
+
+	ts = traffic_selector_create_from_cidr(include_tests[_i].net, 0, 0, 65535);
+	h = host_create_from_string(include_tests[_i].host, 0);
+	ck_assert(ts->includes(ts, h) == include_tests[_i].inc);
+	ts->destroy(ts);
+	h->destroy(h);
+}
+END_TEST
+
+struct {
+	int res;
+	struct {
+		char *net;
+		u_int8_t proto;
+		u_int16_t from_port;
+		u_int16_t to_port;
+	} a, b;
+} cmp_tests[] = {
+	{  0, { "10.0.0.0/8", 0, 0, 65535 },	{ "10.0.0.0/8", 0, 0, 65535 },	},
+	{  0, { "10.0.0.0/8", 17, 123, 456 },	{ "10.0.0.0/8", 17, 123, 456 },	},
+	{  0, { "fec2::/64", 0, 0, 65535 },		{ "fec2::/64", 0, 0, 65535 },	},
+	{  0, { "fec2::/64", 4, 0, 65535 },		{ "fec2::/64", 4, 0, 65535 },	},
+
+	{ -1, { "1.0.0.0/8", 0, 0, 65535 },		{ "2.0.0.0/8", 0, 0, 65535 },	},
+	{  1, { "2.0.0.0/8", 0, 0, 65535 },		{ "1.0.0.0/8", 0, 0, 65535 },	},
+	{ -1, { "1.0.0.0/8", 0, 0, 65535 },		{ "1.0.0.0/16", 0, 0, 65535 },	},
+	{  1, { "1.0.0.0/16", 0, 0, 65535 },	{ "1.0.0.0/8", 0, 0, 65535 },	},
+
+	{ -1, { "10.0.0.0/8", 0, 0, 65535 },	{ "fec2::/64", 0, 0, 65535 },	},
+	{  1, { "fec2::/64", 0, 0, 65535 },		{ "10.0.0.0/8", 0, 0, 65535 },	},
+
+	{ -1, { "10.0.0.0/8", 16, 123, 456 },	{ "10.0.0.0/8", 17, 123, 456 },	},
+	{  1, { "fec2::/64", 5, 0, 65535 },		{ "fec2::/64", 4, 0, 65535 },	},
+
+	{ -1, { "10.0.0.0/8", 17, 111, 456 },	{ "10.0.0.0/8", 17, 222, 456 },	},
+	{  1, { "fec2::/64", 17, 555, 65535 },	{ "fec2::/64", 17, 444, 65535 },},
+
+	{ -1, { "10.0.0.0/8", 17, 55, 65535 },	{ "10.0.0.0/8", 17, 55, 666 },	},
+	{  1, { "fec2::/64", 17, 55, 111 },		{ "fec2::/64", 17, 55, 4567 },	},
+
+};
+
+START_TEST(test_cmp)
+{
+	traffic_selector_t *a, *b;
+
+	a = traffic_selector_create_from_cidr(
+						cmp_tests[_i].a.net, cmp_tests[_i].a.proto,
+						cmp_tests[_i].a.from_port, cmp_tests[_i].a.to_port);
+	b = traffic_selector_create_from_cidr(
+						cmp_tests[_i].b.net, cmp_tests[_i].b.proto,
+						cmp_tests[_i].b.from_port, cmp_tests[_i].b.to_port);
+	switch (cmp_tests[_i].res)
+	{
+		case 0:
+			ck_assert(traffic_selector_cmp(a, b, NULL) == 0);
+			break;
+		case 1:
+			ck_assert(traffic_selector_cmp(a, b, NULL) > 0);
+			break;
+		case -1:
+			ck_assert(traffic_selector_cmp(a, b, NULL) < 0);
+			break;
+	}
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+Suite *traffic_selector_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("traffic selector");
+
+	tc = tcase_create("create");
+	tcase_add_test(tc, test_create_from_string);
+	tcase_add_test(tc, test_create_from_cidr);
+	tcase_add_test(tc, test_create_from_bytes);
+	tcase_add_test(tc, test_create_from_subnet);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("subset");
+	tcase_add_test(tc, test_subset);
+	tcase_add_test(tc, test_subset_port);
+	tcase_add_test(tc, test_subset_equal);
+	tcase_add_test(tc, test_subset_nonet);
+	tcase_add_test(tc, test_subset_noport);
+	tcase_add_test(tc, test_subset_noproto);
+	tcase_add_test(tc, test_subset_nofamily);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("includes");
+	tcase_add_loop_test(tc, test_includes, 0, countof(include_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("cmp");
+	tcase_add_loop_test(tc, test_cmp, 0, countof(cmp_tests));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c
index abca4620e..85a854456 100644
--- a/src/libstrongswan/tests/suites/test_utils.c
+++ b/src/libstrongswan/tests/suites/test_utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2015 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,6 +18,7 @@
 #include <library.h>
 #include <utils/utils.h>
 #include <ipsec/ipsec_types.h>
+#include <credentials/keys/public_key.h>
 
 #include <time.h>
 
@@ -695,6 +696,44 @@ START_TEST(test_mark_from_string)
 }
 END_TEST
 
+/*******************************************************************************
+ * signature_schemes_for_key
+ */
+
+static struct {
+	key_type_t type;
+	int size;
+	signature_scheme_t expected[4];
+} scheme_data[] = {
+	{KEY_RSA,   1024, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
+	{KEY_RSA,   2048, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
+	{KEY_RSA,   4096, { SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
+	{KEY_RSA,   8192, { SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
+	{KEY_ECDSA,  256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
+	{KEY_ECDSA,  384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
+	{KEY_ECDSA,  512, { SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
+	{KEY_BLISS,  128, { SIGN_BLISS_WITH_SHA256, SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
+	{KEY_BLISS,  192, { SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
+	{KEY_BLISS,  256, { SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
+};
+
+START_TEST(test_signature_schemes_for_key)
+{
+	enumerator_t  *enumerator;
+	signature_scheme_t scheme;
+	int i;
+
+	enumerator = signature_schemes_for_key(scheme_data[_i].type, scheme_data[_i].size);
+	for (i = 0; scheme_data[_i].expected[i] != SIGN_UNKNOWN; i++)
+	{
+		ck_assert(enumerator->enumerate(enumerator, &scheme));
+		ck_assert_int_eq(scheme_data[_i].expected[i], scheme);
+	}
+	ck_assert(!enumerator->enumerate(enumerator, &scheme));
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
 Suite *utils_suite_create()
 {
 	Suite *s;
@@ -777,5 +816,9 @@ Suite *utils_suite_create()
 	tcase_add_loop_test(tc, test_mark_from_string, 0, countof(mark_data));
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("signature_schemes_for_key");
+	tcase_add_loop_test(tc, test_signature_schemes_for_key, 0, countof(scheme_data));
+	suite_add_tcase(s, tc);
+
 	return s;
 }
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index 586227800..e1d8ca4ba 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -23,6 +23,7 @@ TEST_SUITE(linked_list_enumerator_suite_create)
 TEST_SUITE(hashtable_suite_create)
 TEST_SUITE(array_suite_create)
 TEST_SUITE(identification_suite_create)
+TEST_SUITE(traffic_selector_suite_create)
 TEST_SUITE(threading_suite_create)
 TEST_SUITE(process_suite_create)
 TEST_SUITE(watcher_suite_create)
@@ -32,6 +33,8 @@ TEST_SUITE(settings_suite_create)
 TEST_SUITE(vectors_suite_create)
 TEST_SUITE_DEPEND(ecdsa_suite_create, PRIVKEY_GEN, KEY_ECDSA)
 TEST_SUITE_DEPEND(rsa_suite_create, PRIVKEY_GEN, KEY_RSA)
+TEST_SUITE_DEPEND(certpolicy_suite_create, CERT_ENCODE, CERT_X509)
+TEST_SUITE_DEPEND(certnames_suite_create, CERT_ENCODE, CERT_X509)
 TEST_SUITE(host_suite_create)
 TEST_SUITE(printf_suite_create)
 TEST_SUITE(hasher_suite_create)
@@ -41,5 +44,7 @@ TEST_SUITE(pen_suite_create)
 TEST_SUITE(asn1_suite_create)
 TEST_SUITE(asn1_parser_suite_create)
 TEST_SUITE(test_rng_suite_create)
+TEST_SUITE_DEPEND(mgf1_sha1_suite_create, HASHER, HASH_SHA1)
+TEST_SUITE_DEPEND(mgf1_sha256_suite_create, HASHER, HASH_SHA256)
 TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
 TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h
index 34d814971..d3ab0f3d9 100644
--- a/src/libstrongswan/threading/semaphore.h
+++ b/src/libstrongswan/threading/semaphore.h
@@ -21,10 +21,7 @@
 #ifndef THREADING_SEMAPHORE_H_
 #define THREADING_SEMAPHORE_H_
 
-#ifdef __APPLE__
-/* Mach uses a semaphore_create() call, use a different name for ours */
-#define semaphore_create(x) strongswan_semaphore_create(x)
-#endif /* __APPLE__ */
+#include <utils/utils.h>
 
 typedef struct semaphore_t semaphore_t;
 
@@ -87,4 +84,3 @@ struct semaphore_t {
 semaphore_t *semaphore_create(u_int value);
 
 #endif /** THREADING_SEMAPHORE_H_ @} */
-
diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h
index 6abb83411..38275541e 100644
--- a/src/libstrongswan/threading/thread.h
+++ b/src/libstrongswan/threading/thread.h
@@ -21,40 +21,9 @@
 #ifndef THREADING_THREAD_H_
 #define THREADING_THREAD_H_
 
-typedef struct thread_t thread_t;
-
-#ifdef __APPLE__
-/* thread_create is a syscall used to create Mach kernel threads and although
- * there are no errors or warnings during compilation or linkage the dynamic
- * linker does not use our implementation, therefore we rename it here
- */
-#define thread_create(main, arg) strongswan_thread_create(main, arg)
+#include <utils/utils.h>
 
-/* on Mac OS X 10.5 several system calls we use are no cancellation points.
- * fortunately, select isn't one of them, so we wrap some of the others with
- * calls to select(2).
- */
-#include <sys/socket.h>
-#include <sys/select.h>
-
-#define WRAP_WITH_SELECT(func, socket, ...)\
-	fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\
-	if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\
-	return func(socket, __VA_ARGS__)
-
-static inline int cancellable_accept(int socket, struct sockaddr *address,
-									 socklen_t *address_len)
-{
-	WRAP_WITH_SELECT(accept, socket, address, address_len);
-}
-#define accept cancellable_accept
-static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
-				int flags, struct sockaddr *address, socklen_t *address_len)
-{
-	WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len);
-}
-#define recvfrom cancellable_recvfrom
-#endif /* __APPLE__ */
+typedef struct thread_t thread_t;
 
 /**
  * Main function of a thread.
@@ -189,32 +158,4 @@ void threads_init();
  */
 void threads_deinit();
 
-
-#ifdef __APPLE__
-
-/*
- * While select() is a cancellation point, it seems that OS X does not honor
- * pending cancellation points when entering the function. We manually test for
- * and honor pending cancellation requests, but this obviously can't prevent
- * some race conditions where the the cancellation happens after the check,
- * but before the select.
- */
-static inline int precancellable_select(int nfds, fd_set *restrict readfds,
-						fd_set *restrict writefds, fd_set *restrict errorfds,
-						struct timeval *restrict timeout)
-{
-	if (thread_cancelability(TRUE))
-	{
-		thread_cancellation_point();
-	}
-	else
-	{
-		thread_cancelability(FALSE);
-	}
-	return select(nfds, readfds, writefds, errorfds, timeout);
-}
-#define select precancellable_select
-
-#endif /* __APPLE__ */
-
 #endif /** THREADING_THREAD_H_ @} */
diff --git a/src/libstrongswan/threading/windows/rwlock.c b/src/libstrongswan/threading/windows/rwlock.c
index 0de57f713..fc0d6d864 100644
--- a/src/libstrongswan/threading/windows/rwlock.c
+++ b/src/libstrongswan/threading/windows/rwlock.c
@@ -85,8 +85,6 @@ METHOD(rwlock_t, write_lock, void,
 METHOD(rwlock_t, try_write_lock, bool,
 	private_rwlock_t *this)
 {
-	/* TODO: causes random failures and segfaults. Bug? */
-	return FALSE;
 	return TryAcquireSRWLockExclusive(&this->srw);
 }
 
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index 4b24b37c2..c4471be70 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -992,7 +992,7 @@ u_int32_t chunk_hash_static(chunk_t chunk)
  */
 u_int16_t chunk_internet_checksum_inc(chunk_t data, u_int16_t checksum)
 {
-	u_int32_t sum = ntohs(~checksum);
+	u_int32_t sum = ntohs((u_int16_t)~checksum);
 
 	while (data.len > 1)
 	{
diff --git a/src/libstrongswan/utils/compat/apple.h b/src/libstrongswan/utils/compat/apple.h
new file mode 100644
index 000000000..61afb9d9e
--- /dev/null
+++ b/src/libstrongswan/utils/compat/apple.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup apple apple
+ * @{ @ingroup compat
+ */
+
+#ifndef APPLE_H_
+#define APPLE_H_
+
+#include <poll.h>
+#include <sys/socket.h>
+#include <sys/select.h>
+
+/* thread_create is a syscall used to create Mach kernel threads and although
+ * there are no errors or warnings during compilation or linkage the dynamic
+ * linker does not use our implementation, therefore we rename it here
+ */
+#define thread_create(main, arg) strongswan_thread_create(main, arg)
+
+/* Mach uses a semaphore_create() call, use a different name for ours */
+#define semaphore_create(x) strongswan_semaphore_create(x)
+
+/* Since OS X 10.10 XPC includes some additional conflicting Mach types */
+#define host_t strongswan_host_t
+#define processor_t strongswan_processor_t
+#define task_t strongswan_task_t
+#define thread_t strongswan_thread_t
+
+/* forward declaration, see below */
+static inline int precancellable_poll(struct pollfd fds[], nfds_t nfds,
+									  int timeout);
+
+/* on Mac OS X 10.5 several system calls we use are no cancellation points.
+ * fortunately, select isn't one of them, so we wrap some of the others with
+ * calls to select(2).
+ */
+
+#define WRAP_WITH_POLL(func, socket, ...) \
+	struct pollfd pfd = { \
+		.fd = socket, \
+		.events = POLLIN, \
+	}; \
+	if (precancellable_poll(&pfd, 1, -1) <= 0) \
+	{\
+		return -1; \
+	}\
+	return func(socket, __VA_ARGS__)
+
+static inline int cancellable_accept(int socket, struct sockaddr *address,
+									 socklen_t *address_len)
+{
+	WRAP_WITH_POLL(accept, socket, address, address_len);
+}
+#define accept cancellable_accept
+static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
+				int flags, struct sockaddr *address, socklen_t *address_len)
+{
+	WRAP_WITH_POLL(recvfrom, socket, buffer, length, flags, address, address_len);
+}
+#define recvfrom cancellable_recvfrom
+
+#include <threading/thread.h>
+
+/*
+ * While select() is a cancellation point, it seems that OS X does not honor
+ * pending cancellation points when entering the function. We manually test for
+ * and honor pending cancellation requests, but this obviously can't prevent
+ * some race conditions where the the cancellation happens after the check,
+ * but before the select.
+ */
+static inline int precancellable_select(int nfds, fd_set *restrict readfds,
+						fd_set *restrict writefds, fd_set *restrict errorfds,
+						struct timeval *restrict timeout)
+{
+	if (thread_cancelability(TRUE))
+	{
+		thread_cancellation_point();
+	}
+	else
+	{
+		thread_cancelability(FALSE);
+	}
+	return select(nfds, readfds, writefds, errorfds, timeout);
+}
+#define select precancellable_select
+
+/*
+ * The same as to select(2) applies to poll(2)
+ */
+static inline int precancellable_poll(struct pollfd fds[], nfds_t nfds,
+									  int timeout)
+{
+	if (thread_cancelability(TRUE))
+	{
+		thread_cancellation_point();
+	}
+	else
+	{
+		thread_cancelability(FALSE);
+	}
+	return poll(fds, nfds, timeout);
+}
+#define poll precancellable_poll
+
+#endif /** APPLE_H_ @}*/
diff --git a/src/libstrongswan/utils/windows.c b/src/libstrongswan/utils/compat/windows.c
index 8820287b1..1f22ffa02 100644
--- a/src/libstrongswan/utils/windows.c
+++ b/src/libstrongswan/utils/compat/windows.c
@@ -13,7 +13,10 @@
  * for more details.
  */
 
-#include "utils.h"
+/* WSAPoll() */
+#define _WIN32_WINNT 0x0600
+
+#include <utils/utils.h>
 
 #include <errno.h>
 
@@ -639,3 +642,43 @@ ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags,
 	}
 	return outlen;
 }
+
+/**
+ * See header
+ */
+#undef read
+ssize_t windows_read(int fd, void *buf, size_t count)
+{
+	ssize_t ret;
+
+	ret = wserr(recv(fd, buf, count, 0));
+	if (ret == -1 && errno == ENOTSOCK)
+	{
+		ret = read(fd, buf, count);
+	}
+	return ret;
+}
+
+/**
+ * See header
+ */
+#undef write
+ssize_t windows_write(int fd, void *buf, size_t count)
+{
+	ssize_t ret;
+
+	ret = wserr(send(fd, buf, count, 0));
+	if (ret == -1 && errno == ENOTSOCK)
+	{
+		ret = write(fd, buf, count);
+	}
+	return ret;
+}
+
+/**
+ * See header
+ */
+int poll(struct pollfd *fds, int nfds, int timeout)
+{
+	return wserr(WSAPoll(fds, nfds, timeout));
+}
diff --git a/src/libstrongswan/utils/windows.h b/src/libstrongswan/utils/compat/windows.h
index 3761e10ab..fd4f1f196 100644
--- a/src/libstrongswan/utils/windows.h
+++ b/src/libstrongswan/utils/compat/windows.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup windows windows
- * @{ @ingroup utils
+ * @{ @ingroup compat
  */
 
 #ifndef WINDOWS_H_
@@ -363,6 +363,49 @@ ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags,
 					   const struct sockaddr *dest_addr, socklen_t addrlen);
 
 /**
+ * read(2) working on files and sockets, cancellable on sockets only
+ *
+ * On Windows, there does not seem to be a way how a cancellable read can
+ * be implemented on Low level I/O functions for files, _pipe()s or stdio.
+ */
+#define read windows_read
+ssize_t windows_read(int fd, void *buf, size_t count);
+
+/**
+ * write(2) working on files and sockets
+ */
+#define write windows_write
+ssize_t windows_write(int fd, void *buf, size_t count);
+
+#if _WIN32_WINNT < 0x0600
+/**
+ * Define pollfd and flags on our own if not specified
+ */
+struct pollfd {
+	SOCKET fd;
+	short events;
+	short revents;
+};
+enum {
+	POLLERR =		0x0001,
+	POLLHUP =		0x0002,
+	POLLNVAL =		0x0004,
+	POLLWRNORM =	0x0010,
+	POLLWRBAND =	0x0020,
+	POLLPRI =		0x0400,
+	POLLRDNORM =	0x0100,
+	POLLRDBAND =	0x0200,
+	POLLIN =		POLLRDNORM | POLLRDBAND,
+	POLLOUT =		POLLWRNORM,
+};
+#endif /* _WIN32_WINNT < 0x0600 */
+
+/**
+ * poll(2), implemented using Winsock2 WSAPoll()
+ */
+int poll(struct pollfd *fds, int nfds, int timeout);
+
+/**
  * Declaration missing on older WinGW
  */
 _CRTIMP errno_t strerror_s(char *buf, size_t size, int errnum);
diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c
index f96fe2989..089bebb79 100644
--- a/src/libstrongswan/utils/enum.c
+++ b/src/libstrongswan/utils/enum.c
@@ -60,20 +60,103 @@ bool enum_from_name_as_int(enum_name_t *e, const char *name, int *val)
 }
 
 /**
+ * Get the position of a flag name using offset calculation
+ */
+static int find_flag_pos(u_int val, u_int first)
+{
+	int offset = 0;
+
+	while (val != 0x01)
+	{
+		val = val >> 1;
+		offset++;
+	}
+	return first - offset;
+}
+
+/**
  * Described in header.
  */
+char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len)
+{
+	char *pos = buf, *delim = "";
+	int i, wr;
+
+	if (e->next != ENUM_FLAG_MAGIC)
+	{
+		if (snprintf(buf, len, "(%d)", (int)val) >= len)
+		{
+			return NULL;
+		}
+		return buf;
+	}
+
+	if (snprintf(buf, len, "(unset)") >= len)
+	{
+		return NULL;
+	}
+
+	for (i = 0; val; i++)
+	{
+		u_int flag = 1 << i;
+
+		if (val & flag)
+		{
+			char *name = NULL, hex[32];
+
+			if (flag >= (u_int)e->first && flag <= (u_int)e->last)
+			{
+				name = e->names[find_flag_pos(e->first, i)];
+			}
+			else
+			{
+				snprintf(hex, sizeof(hex), "(0x%X)", flag);
+				name = hex;
+			}
+			if (name)
+			{
+				wr = snprintf(pos, len, "%s%s", delim, name);
+				if (wr >= len)
+				{
+					return NULL;
+				}
+				len -= wr;
+				pos += wr;
+				delim = " | ";
+			}
+			val &= ~flag;
+		}
+	}
+	return buf;
+}
+
+/**
+ * See header.
+ */
 int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					 const void *const *args)
 {
 	enum_name_t *ed = *((enum_name_t**)(args[0]));
 	int val = *((int*)(args[1]));
-	char *name, buf[32];
+	char *name, buf[512];
 
-	name = enum_to_name(ed, val);
-	if (name == NULL)
+	if (ed->next == ENUM_FLAG_MAGIC)
+	{
+		name = enum_flags_to_string(ed, val, buf, sizeof(buf));
+		if (name == NULL)
+		{
+			snprintf(buf, sizeof(buf), "(0x%X)", val);
+			name = buf;
+		}
+	}
+	else
 	{
-		snprintf(buf, sizeof(buf), "(%d)", val);
-		name = buf;
+		name = enum_to_name(ed, val);
+		if (name == NULL)
+		{
+			snprintf(buf, sizeof(buf), "(%d)", val);
+			name = buf;
+		}
 	}
 	if (spec->minus)
 	{
diff --git a/src/libstrongswan/utils/enum.h b/src/libstrongswan/utils/enum.h
index 3c03c2a7b..928f4079a 100644
--- a/src/libstrongswan/utils/enum.h
+++ b/src/libstrongswan/utils/enum.h
@@ -27,6 +27,11 @@
 typedef struct enum_name_t enum_name_t;
 
 /**
+ * Magic enum_name_t pointer indicating this is an enum name for flags
+ */
+#define ENUM_FLAG_MAGIC ((enum_name_t*)~(uintptr_t)0)
+
+/**
  * Struct to store names for enums.
  *
  * To print the string representation of enumeration values, the strings
@@ -58,7 +63,7 @@ struct enum_name_t {
 	int first;
 	/** value of the last enum string */
 	int last;
-	/** next enum_name_t in list */
+	/** next enum_name_t in list, or ENUM_FLAG_MAGIC */
 	enum_name_t *next;
 	/** array of strings containing names from first to last */
 	char *names[];
@@ -107,6 +112,23 @@ struct enum_name_t {
 #define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last)
 
 /**
+ * Define a enum name with only one range for flags.
+ *
+ * Using an enum list for flags would be overkill. Hence we use a single
+ * range with all values in range. The next pointer is abused to mark
+ * that the enum name is for flags only. Use NULL if a particular flag
+ * is not meant to be printed.
+ *
+ * @param name	name of the enum_name list
+ * @param first	enum value of the first enum string
+ * @param last	enum value of the last enum string
+ * @param ...	a list of strings
+ */
+#define ENUM_FLAGS(name, first, last, ...) \
+	static enum_name_t name##last = {first, last, ENUM_FLAG_MAGIC, { __VA_ARGS__ }}; \
+	ENUM_END(name, last)
+
+/**
  * Convert a enum value to its string representation.
  *
  * @param e		enum names for this enum value
@@ -146,6 +168,17 @@ char *enum_to_name(enum_name_t *e, int val);
 bool enum_from_name_as_int(enum_name_t *e, const char *name, int *val);
 
 /**
+ * Convert a enum value containing flags to its string representation.
+ *
+ * @param e		enum names for this enum value suitable for flags
+ * @param val	enum value to get string for
+ * @param buf	buffer to write flag string to
+ * @param len	buffer size
+ * @return		buf, NULL if buffer too small
+ */
+char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len);
+
+/**
  * printf hook function for enum_names_t.
  *
  * Arguments are:
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 46ac7e890..b69adf399 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -17,6 +17,7 @@
 
 #include <string.h>
 #include <stdio.h>
+#include <errno.h>
 
 #include "identification.h"
 
@@ -927,6 +928,82 @@ static private_identification_t *identification_create(id_type_t type)
 	return this;
 }
 
+/**
+ * Create an identity for a specific type, determined by prefix
+ */
+static private_identification_t* create_from_string_with_prefix_type(char *str)
+{
+	struct {
+		const char *str;
+		id_type_t type;
+	} prefixes[] = {
+		{ "ipv4:",			ID_IPV4_ADDR			},
+		{ "ipv6:",			ID_IPV6_ADDR			},
+		{ "rfc822:",		ID_RFC822_ADDR			},
+		{ "email:",			ID_RFC822_ADDR			},
+		{ "userfqdn:",		ID_USER_FQDN			},
+		{ "fqdn:",			ID_FQDN					},
+		{ "dns:",			ID_FQDN					},
+		{ "asn1dn:",		ID_DER_ASN1_DN			},
+		{ "asn1gn:",		ID_DER_ASN1_GN			},
+		{ "keyid:",			ID_KEY_ID				},
+	};
+	private_identification_t *this;
+	int i;
+
+	for (i = 0; i < countof(prefixes); i++)
+	{
+		if (strcasepfx(str, prefixes[i].str))
+		{
+			this = identification_create(prefixes[i].type);
+			str += strlen(prefixes[i].str);
+			if (*str == '#')
+			{
+				this->encoded = chunk_from_hex(chunk_from_str(str + 1), NULL);
+			}
+			else
+			{
+				this->encoded = chunk_clone(chunk_from_str(str));
+			}
+			return this;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Create an identity for a specific type, determined by a numerical prefix
+ *
+ * The prefix is of the form "{x}:", where x denotes the numerical identity
+ * type.
+ */
+static private_identification_t* create_from_string_with_num_type(char *str)
+{
+	private_identification_t *this;
+	u_long type;
+
+	if (*str++ != '{')
+	{
+		return NULL;
+	}
+	errno = 0;
+	type = strtoul(str, &str, 0);
+	if (errno || *str++ != '}' || *str++ != ':')
+	{
+		return NULL;
+	}
+	this = identification_create(type);
+	if (*str == '#')
+	{
+		this->encoded = chunk_from_hex(chunk_from_str(str + 1), NULL);
+	}
+	else
+	{
+		this->encoded = chunk_clone(chunk_from_str(str));
+	}
+	return this;
+}
+
 /*
  * Described in header.
  */
@@ -939,6 +1016,16 @@ identification_t *identification_create_from_string(char *string)
 	{
 		string = "%any";
 	}
+	this = create_from_string_with_prefix_type(string);
+	if (this)
+	{
+		return &this->public;
+	}
+	this = create_from_string_with_num_type(string);
+	if (this)
+	{
+		return &this->public;
+	}
 	if (strchr(string, '=') != NULL)
 	{
 		/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index e62446879..e6a9fe1c6 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -302,6 +302,15 @@ struct identification_t {
  * N, G, I, dnQualifier, ID, EN, EmployeeNumber, E, Email, emailAddress, UN,
  * unstructuredName, TCGID.
  *
+ * To skip automatic type detection the following prefixes may be used to
+ * enforce a specific type: ipv4:, ipv6:, rfc822:, email:, userfqdn:, fqdn:,
+ * dns:, asn1dn:, asn1gn: and keyid:. If a # follows the :, the remaining data
+ * is interpreted as hex encoded binary data for that ID, otherwise the raw
+ * string following the prefix is used as identity data, without conversion.
+ * To specify a non-standard ID type, the numerical type may be prefixed
+ * between curly backets, building a prefix. For instance the "{1}:" prefix
+ * defines an ID_IPV4_ADDR type.
+ *
  * This constructor never returns NULL. If it does not find a suitable
  * conversion function, it will copy the string to an ID_KEY_ID.
  *
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
index da253cc35..7c48d949f 100644
--- a/src/libstrongswan/utils/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -29,7 +29,7 @@
 #include <string.h>
 
 #ifdef WIN32
-# include "windows.h"
+# include "compat/windows.h"
 #else
 # define _GNU_SOURCE
 # include <arpa/inet.h>
@@ -37,6 +37,7 @@
 # include <netdb.h>
 # include <netinet/in.h>
 # include <sched.h>
+# include <poll.h>
 #endif
 
 /**
@@ -96,6 +97,9 @@
 
 #include "enum.h"
 #include "utils/strerror.h"
+#ifdef __APPLE__
+# include "compat/apple.h"
+#endif
 
 /**
  * Directory separator character in paths on this platform
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 426d8bcb3..e6c23d970 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -278,6 +278,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -338,10 +339,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -415,6 +418,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in
index 2e44fb4a5..7d5b3771c 100644
--- a/src/libtls/tests/Makefile.in
+++ b/src/libtls/tests/Makefile.in
@@ -223,6 +223,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -283,10 +284,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -360,6 +363,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6a8d5030c..08a06f5ef 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -415,6 +415,12 @@ METHOD(tls_t, get_eap_msk, chunk_t,
 	return this->crypto->get_eap_msk(this->crypto);
 }
 
+METHOD(tls_t, get_auth, auth_cfg_t*,
+	private_tls_t *this)
+{
+	return this->handshake->get_auth(this->handshake);
+}
+
 METHOD(tls_t, destroy, void,
 	private_tls_t *this)
 {
@@ -465,6 +471,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 			.get_purpose = _get_purpose,
 			.is_complete = _is_complete,
 			.get_eap_msk = _get_eap_msk,
+			.get_auth = _get_auth,
 			.destroy = _destroy,
 		},
 		.is_server = is_server,
@@ -487,7 +494,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 										this->alert, peer, server)->handshake;
 	}
 	this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
-												   this->application);
+												   this->application, purpose);
 	this->compression = tls_compression_create(this->fragmentation, this->alert);
 	this->protection = tls_protection_create(this->compression, this->alert);
 	this->crypto->set_protection(this->crypto, this->protection);
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index fc1d9b9fd..f3dc198cf 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -252,6 +252,13 @@ struct tls_t {
 	chunk_t (*get_eap_msk)(tls_t *this);
 
 	/**
+	 * Get the authentication details after completing the handshake.
+	 *
+	 * @return			authentication details, internal data
+	 */
+	auth_cfg_t* (*get_auth)(tls_t *this);
+
+	/**
 	 * Destroy a tls_t.
 	 */
 	void (*destroy)(tls_t *this);
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index ebe5bc3a8..12d5aed53 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -426,6 +426,12 @@ METHOD(tls_eap_t, set_identifier, void,
 	this->identifier = identifier;
 }
 
+METHOD(tls_eap_t, get_auth, auth_cfg_t*,
+	private_tls_eap_t *this)
+{
+	return this->tls->get_auth(this->tls);
+}
+
 METHOD(tls_eap_t, destroy, void,
 	private_tls_eap_t *this)
 {
@@ -453,6 +459,7 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
 			.get_msk = _get_msk,
 			.get_identifier = _get_identifier,
 			.set_identifier = _set_identifier,
+			.get_auth = _get_auth,
 			.destroy = _destroy,
 		},
 		.type = type,
diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h
index f3fbba078..df41fc4d7 100644
--- a/src/libtls/tls_eap.h
+++ b/src/libtls/tls_eap.h
@@ -77,6 +77,13 @@ struct tls_eap_t {
 	void (*set_identifier) (tls_eap_t *this, uint8_t identifier);
 
 	/**
+	 * Get the authentication details after completing the handshake.
+	 *
+	 * @return				authentication details, internal data
+	 */
+	auth_cfg_t* (*get_auth)(tls_eap_t *this);
+
+	/**
 	 * Destroy a tls_eap_t.
 	 */
 	void (*destroy)(tls_eap_t *this);
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index 6e4347e3c..a97ca1eaa 100644
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -96,9 +96,32 @@ struct private_tls_fragmentation_t {
 	 * Upper layer application data protocol
 	 */
 	tls_application_t *application;
+
+	/**
+	 * Type of context this TLS instance runs in
+	 */
+	tls_purpose_t purpose;
 };
 
 /**
+ * Check if we should send a close notify once the application finishes
+ */
+static bool send_close_notify(private_tls_fragmentation_t *this)
+{
+	switch (this->purpose)
+	{
+		case TLS_PURPOSE_EAP_TLS:
+		case TLS_PURPOSE_EAP_TTLS:
+		case TLS_PURPOSE_EAP_PEAP:
+			/* not for TLS-in-EAP, as we indicate completion with EAP-SUCCCESS.
+			 * Windows does not like close notifies, and hangs/disconnects. */
+			return FALSE;
+		default:
+			return TRUE;
+	}
+}
+
+/**
  * Process a TLS alert
  */
 static status_t process_alert(private_tls_fragmentation_t *this,
@@ -223,6 +246,10 @@ static status_t process_application(private_tls_fragmentation_t *this,
 				continue;
 			case SUCCESS:
 				this->application_finished = TRUE;
+				if (!send_close_notify(this))
+				{
+					return SUCCESS;
+				}
 				/* FALL */
 			case FAILED:
 			default:
@@ -368,6 +395,10 @@ static status_t build_application(private_tls_fragmentation_t *this)
 				break;
 			case SUCCESS:
 				this->application_finished = TRUE;
+				if (!send_close_notify(this))
+				{
+					break;
+				}
 				/* FALL */
 			case FAILED:
 			default:
@@ -463,7 +494,8 @@ METHOD(tls_fragmentation_t, destroy, void,
  * See header
  */
 tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
-							tls_alert_t *alert, tls_application_t *application)
+							tls_alert_t *alert, tls_application_t *application,
+							tls_purpose_t purpose)
 {
 	private_tls_fragmentation_t *this;
 
@@ -478,6 +510,7 @@ tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
 		.alert = alert,
 		.state = ALERT_NONE,
 		.application = application,
+		.purpose = purpose,
 	);
 
 	return &this->public;
diff --git a/src/libtls/tls_fragmentation.h b/src/libtls/tls_fragmentation.h
index f650e7be8..a49f27b20 100644
--- a/src/libtls/tls_fragmentation.h
+++ b/src/libtls/tls_fragmentation.h
@@ -80,9 +80,11 @@ struct tls_fragmentation_t {
  * @param handshake			upper layer handshake protocol
  * @param alert				TLS alert handler
  * @param application		upper layer application data or NULL
+ * @param purpose			type of context this TLS stack is running in
  * @return					TLS fragmentation layer
  */
 tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
-							tls_alert_t *alert, tls_application_t *application);
+							tls_alert_t *alert, tls_application_t *application,
+							tls_purpose_t purpose);
 
 #endif /** TLS_FRAGMENTATION_H_ @}*/
diff --git a/src/libtls/tls_handshake.h b/src/libtls/tls_handshake.h
index 7fa660c58..7edb49ba0 100644
--- a/src/libtls/tls_handshake.h
+++ b/src/libtls/tls_handshake.h
@@ -98,6 +98,13 @@ struct tls_handshake_t {
 	identification_t* (*get_server_id)(tls_handshake_t *this);
 
 	/**
+	 * Get the peers authentication information after completing the handshake.
+	 *
+	 * @return			authentication data, internal data
+	 */
+	auth_cfg_t* (*get_auth)(tls_handshake_t *this);
+
+	/**
 	 * Destroy a tls_handshake_t.
 	 */
 	void (*destroy)(tls_handshake_t *this);
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index a95b40f55..e6be36b7b 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -312,7 +312,7 @@ static status_t process_certificate(private_tls_peer_t *this,
 static public_key_t *find_public_key(private_tls_peer_t *this)
 {
 	public_key_t *public = NULL, *current;
-	certificate_t *cert;
+	certificate_t *cert, *found;
 	enumerator_t *enumerator;
 	auth_cfg_t *auth;
 
@@ -323,8 +323,13 @@ static public_key_t *find_public_key(private_tls_peer_t *this)
 						KEY_ANY, cert->get_subject(cert), this->server_auth);
 		while (enumerator->enumerate(enumerator, &current, &auth))
 		{
-			public = current->get_ref(current);
-			break;
+			found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+			if (found && cert->equals(cert, found))
+			{
+				public = current->get_ref(current);
+				this->server_auth->merge(this->server_auth, auth, FALSE);
+				break;
+			}
 		}
 		enumerator->destroy(enumerator);
 	}
@@ -379,7 +384,12 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this,
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
 		return NEED_MORE;
 	}
-	this->dh->set_other_public_value(this->dh, pub);
+	if (!this->dh->set_other_public_value(this->dh, pub))
+	{
+		DBG1(DBG_TLS, "applying DH public value failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
 
 	this->state = STATE_KEY_EXCHANGE_RECEIVED;
 	return NEED_MORE;
@@ -489,7 +499,12 @@ static status_t process_ec_key_exchange(private_tls_peer_t *this,
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
 		return NEED_MORE;
 	}
-	this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
+	if (!this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1)))
+	{
+		DBG1(DBG_TLS, "applying DH public value failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
 
 	this->state = STATE_KEY_EXCHANGE_RECEIVED;
 	return NEED_MORE;
@@ -968,7 +983,7 @@ static status_t send_key_exchange_dhe(private_tls_peer_t *this,
 {
 	chunk_t premaster, pub;
 
-	if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
+	if (!this->dh->get_shared_secret(this->dh, &premaster))
 	{
 		DBG1(DBG_TLS, "calculating premaster from DH failed");
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
@@ -985,7 +1000,11 @@ static status_t send_key_exchange_dhe(private_tls_peer_t *this,
 	}
 	chunk_clear(&premaster);
 
-	this->dh->get_my_public_value(this->dh, &pub);
+	if (!this->dh->get_my_public_value(this->dh, &pub))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
 	if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
 	{
 		writer->write_data16(writer, pub);
@@ -1153,6 +1172,12 @@ METHOD(tls_handshake_t, get_server_id, identification_t*,
 	return this->server;
 }
 
+METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
+	private_tls_peer_t *this)
+{
+	return this->server_auth;
+}
+
 METHOD(tls_handshake_t, destroy, void,
 	private_tls_peer_t *this)
 {
@@ -1186,6 +1211,7 @@ tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert
 				.finished = _finished,
 				.get_peer_id = _get_peer_id,
 				.get_server_id = _get_server_id,
+				.get_auth = _get_auth,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index b016db21f..e73fedc5d 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -101,14 +101,13 @@ METHOD(tls_protection_t, build, status_t,
 	status_t status;
 
 	status = this->compression->build(this->compression, type, data);
-	if (*type == TLS_CHANGE_CIPHER_SPEC)
-	{
-		this->seq_out = 0;
-		return status;
-	}
-
 	if (status == NEED_MORE)
 	{
+		if (*type == TLS_CHANGE_CIPHER_SPEC)
+		{
+			this->seq_out = 0;
+			return status;
+		}
 		if (this->aead_out)
 		{
 			if (!this->aead_out->encrypt(this->aead_out, this->version,
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index aeb5a714f..b1a214f7f 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -494,8 +494,13 @@ static status_t process_key_exchange_dhe(private_tls_server_t *this,
 		}
 		pub = chunk_skip(pub, 1);
 	}
-	this->dh->set_other_public_value(this->dh, pub);
-	if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
+	if (!this->dh->set_other_public_value(this->dh, pub))
+	{
+		DBG1(DBG_TLS, "applying DH public value failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	if (!this->dh->get_shared_secret(this->dh, &premaster))
 	{
 		DBG1(DBG_TLS, "calculating premaster from DH failed");
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
@@ -551,6 +556,7 @@ static status_t process_cert_verify(private_tls_server_t *this,
 		sig->destroy(sig);
 		if (verified)
 		{
+			this->peer_auth->merge(this->peer_auth, auth, FALSE);
 			break;
 		}
 		DBG1(DBG_TLS, "signature verification failed, trying another key");
@@ -914,7 +920,11 @@ static status_t send_server_key_exchange(private_tls_server_t *this,
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
 		return NEED_MORE;
 	}
-	this->dh->get_my_public_value(this->dh, &chunk);
+	if (!this->dh->get_my_public_value(this->dh, &chunk))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
 	if (params)
 	{
 		writer->write_data16(writer, chunk);
@@ -1073,6 +1083,12 @@ METHOD(tls_handshake_t, get_server_id, identification_t*,
 	return this->server;
 }
 
+METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
+	private_tls_server_t *this)
+{
+	return this->peer_auth;
+}
+
 METHOD(tls_handshake_t, destroy, void,
 	private_tls_server_t *this)
 {
@@ -1107,6 +1123,7 @@ tls_server_t *tls_server_create(tls_t *tls,
 				.finished = _finished,
 				.get_peer_id = _get_peer_id,
 				.get_server_id = _get_server_id,
+				.get_auth = _get_auth,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 648771e75..2ccd97571 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -291,25 +291,24 @@ METHOD(tls_socket_t, splice, bool,
 	private_tls_socket_t *this, int rfd, int wfd)
 {
 	char buf[PLAIN_BUF_SIZE], *pos;
-	fd_set set;
 	ssize_t in, out;
 	bool old, plain_eof = FALSE, crypto_eof = FALSE;
+	struct pollfd pfd[] = {
+		{ .fd = this->fd,	.events = POLLIN, },
+		{ .fd = rfd,		.events = POLLIN, },
+	};
 
 	while (!plain_eof && !crypto_eof)
 	{
-		FD_ZERO(&set);
-		FD_SET(rfd, &set);
-		FD_SET(this->fd, &set);
-
 		old = thread_cancelability(TRUE);
-		in = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL);
+		in = poll(pfd, countof(pfd), -1);
 		thread_cancelability(old);
 		if (in == -1)
 		{
 			DBG1(DBG_TLS, "TLS select error: %s", strerror(errno));
 			return FALSE;
 		}
-		while (!plain_eof && FD_ISSET(this->fd, &set))
+		while (!plain_eof && pfd[0].revents & (POLLIN | POLLHUP | POLLNVAL))
 		{
 			in = read_(this, buf, sizeof(buf), FALSE);
 			switch (in)
@@ -342,7 +341,7 @@ METHOD(tls_socket_t, splice, bool,
 			}
 			break;
 		}
-		if (!crypto_eof && FD_ISSET(rfd, &set))
+		if (!crypto_eof && pfd[1].revents & (POLLIN | POLLHUP | POLLNVAL))
 		{
 			in = read(rfd, buf, sizeof(buf));
 			switch (in)
diff --git a/src/libtnccs/Android.mk b/src/libtnccs/Android.mk
index 68f85c252..e37973202 100644
--- a/src/libtnccs/Android.mk
+++ b/src/libtnccs/Android.mk
@@ -22,7 +22,7 @@ endif
 LOCAL_SRC_FILES += $(call add_plugin, tnc-tnccs)
 
 LOCAL_SRC_FILES += $(call add_plugin, tnccs-20)
-LOCAL_SRC_FILES += $(call add_plugin_subdirs, tnccs-20, batch messages messages/ietf messages/tcg state_machine)
+LOCAL_SRC_FILES += $(call add_plugin_subdirs, tnccs-20, batch messages messages/ietf messages/ita messages/tcg state_machine)
 ifneq ($(call plugin_enabled, tnccs-20),)
 LOCAL_C_INCLUDES += $(LOCAL_PATH)/plugins/tnccs_20/
 endif
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index b0bfdf20d..dc8c1b8cc 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -283,6 +283,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -343,10 +344,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -420,6 +423,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index 2b76aabe6..3641bdf5b 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c
index 859dded79..ce5b48133 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c
@@ -44,6 +44,7 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_CALLBACK(tnc_manager_register, tnc_imc_manager_create),
 			PLUGIN_PROVIDE(CUSTOM, "imc-manager"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+				PLUGIN_SDEPEND(CUSTOM, "imv-manager"),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY),
 	};
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h
index 8c5521cb2..8cbc70367 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tnc_imc tnc_imc
- * @ingroup cplugins
+ * @ingroup tplugins
  *
  * @defgroup tnc_imc_plugin tnc_imc_plugin
  * @{ @ingroup tnc_imc
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index 06e7b0480..c4b1bee23 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h
index afeee2ea2..5786bbaab 100644
--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tnc_imv tnc_imv
- * @ingroup cplugins
+ * @ingroup tplugins
  *
  * @defgroup tnc_imv_plugin tnc_imv_plugin
  * @{ @ingroup tnc_imv
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 8910fe761..5b01e317a 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
index b8683f78c..30e505246 100644
--- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -169,8 +169,8 @@ METHOD(tnccs_manager_t, remove_method, void,
 
 METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 	private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
-	identification_t *server, identification_t *peer, tnc_ift_type_t transport,
-	tnccs_cb_t cb)
+	identification_t *server_id, identification_t *peer_id, host_t *server_ip,
+	host_t *peer_ip, tnc_ift_type_t transport, tnccs_cb_t cb)
 {
 	enumerator_t *enumerator;
 	tnccs_entry_t *entry;
@@ -182,7 +182,8 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 	{
 		if (type == entry->type)
 		{
-			protocol = entry->constructor(is_server, server, peer, transport, cb);
+			protocol = entry->constructor(is_server, server_id, peer_id,
+										  server_ip, peer_ip, transport, cb);
 			if (protocol)
 			{
 				break;
@@ -716,7 +717,8 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 		case TNC_ATTRIBUTEID_AR_IDENTITIES:
 		{
 			linked_list_t *list;
-			identification_t *peer;
+			identification_t *peer_id;
+			host_t *peer_ip;
 			tnccs_t *tnccs;
 			tncif_identity_t *tnc_id;
 			u_int32_t id_type, subject_type;
@@ -726,10 +728,11 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 
 			list = linked_list_create();
 			tnccs = entry->tnccs;
-			peer = tnccs->tls.get_peer_id(&tnccs->tls);
-			if (peer)
+
+			peer_id = tnccs->tls.get_peer_id(&tnccs->tls);
+			if (peer_id)
 			{
-				switch (peer->get_type(peer))
+				switch (peer_id->get_type(peer_id))
 				{
 					case ID_IPV4_ADDR:
 						id_type = TNC_ID_IPV4_ADDR;
@@ -756,7 +759,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 						subject_type = TNC_SUBJECT_UNKNOWN;
 				}
 				if (id_type != TNC_ID_UNKNOWN &&
-					asprintf(&id_str, "%Y", peer) >= 0)
+					asprintf(&id_str, "%Y", peer_id) >= 0)
 				{
 					id_value = chunk_from_str(id_str);
 					tnc_id = tncif_identity_create(
@@ -767,6 +770,33 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 					list->insert_last(list, tnc_id);
 				}
 			}
+
+			peer_ip = tnccs->get_peer_ip(tnccs);
+			if (peer_ip)
+			{
+				switch (peer_ip->get_family(peer_ip))
+				{
+					case AF_INET:
+						id_type = TNC_ID_IPV4_ADDR;
+						break;
+					case AF_INET6:
+						id_type = TNC_ID_IPV6_ADDR;
+						break;
+					default:
+						id_type = TNC_ID_UNKNOWN;
+				}
+
+				if (id_type != TNC_ID_UNKNOWN &&
+					asprintf(&id_str, "%H", peer_ip) >= 0)
+				{
+					id_value = chunk_from_str(id_str);
+					tnc_id = tncif_identity_create(
+								pen_type_create(PEN_TCG, id_type), id_value,
+								pen_type_create(PEN_TCG, TNC_SUBJECT_MACHINE),
+								pen_type_create(PEN_TCG, TNC_AUTH_UNKNOWN));
+					list->insert_last(list, tnc_id);
+				}
+			}
 			result = identity_attribute(buffer_len, buffer, value_len, list);
 			list->destroy_offset(list, offsetof(tncif_identity_t, destroy));
 			return result;
diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h
index f935fa462..c99d5e7c8 100644
--- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h
+++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tnc_tnccs tnc_tnccs
- * @ingroup cplugins
+ * @ingroup tplugins
  *
  * @defgroup tnc_tnccs_plugin tnc_tnccs_plugin
  * @{ @ingroup tnc_tnccs
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index ea6ac5546..e0c039af9 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -241,6 +241,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -301,10 +302,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -378,6 +381,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
index 28c5e52b7..0918a2bad 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -54,12 +54,22 @@ struct private_tnccs_11_t {
 	/**
 	 * Server identity
 	 */
-	identification_t *server;
+	identification_t *server_id;
 
 	/**
 	 * Client identity
 	 */
-	identification_t *peer;
+	identification_t *peer_id;
+
+	/**
+	 * Server IP address
+	 */
+	host_t *server_ip;
+
+	/**
+	 * Client IP address
+	 */
+	host_t *peer_ip;
 
 	/**
 	 * Underlying TNC IF-T transport protocol
@@ -527,20 +537,20 @@ METHOD(tls_t, is_server, bool,
 METHOD(tls_t, get_server_id, identification_t*,
 	private_tnccs_11_t *this)
 {
-	return this->server;
+	return this->server_id;
 }
 
 METHOD(tls_t, set_peer_id, void,
 	private_tnccs_11_t *this, identification_t *id)
 {
-	DESTROY_IF(this->peer);
-	this->peer = id->clone(id);
+	DESTROY_IF(this->peer_id);
+	this->peer_id = id->clone(id);
 }
 
 METHOD(tls_t, get_peer_id, identification_t*,
 	private_tnccs_11_t *this)
 {
-	return this->peer;
+	return this->peer_id;
 }
 
 METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -578,14 +588,28 @@ METHOD(tls_t, destroy, void,
 	{
 		tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
 												  this->is_server);
-		this->server->destroy(this->server);
-		this->peer->destroy(this->peer);
+		this->server_id->destroy(this->server_id);
+		this->peer_id->destroy(this->peer_id);
+		this->server_ip->destroy(this->server_ip);
+		this->peer_ip->destroy(this->peer_ip);
 		this->mutex->destroy(this->mutex);
 		DESTROY_IF(this->batch);
 		free(this);
 	}
 }
 
+METHOD(tnccs_t, get_server_ip, host_t*,
+	private_tnccs_11_t *this)
+{
+	return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+	private_tnccs_11_t *this)
+{
+	return this->peer_ip;
+}
+
 METHOD(tnccs_t, get_transport, tnc_ift_type_t,
 	private_tnccs_11_t *this)
 {
@@ -628,9 +652,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
 /**
  * See header
  */
-tnccs_t* tnccs_11_create(bool is_server,
-						 identification_t *server, identification_t *peer,
-						 tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id,
+						 identification_t *peer_id, host_t *server_ip,
+						 host_t *peer_ip, tnc_ift_type_t transport,
+						 tnccs_cb_t cb)
 {
 	private_tnccs_11_t *this;
 
@@ -648,6 +673,8 @@ tnccs_t* tnccs_11_create(bool is_server,
 				.get_eap_msk = _get_eap_msk,
 				.destroy = _destroy,
 			},
+			.get_server_ip = _get_server_ip,
+			.get_peer_ip = _get_peer_ip,
 			.get_transport = _get_transport,
 			.set_transport = _set_transport,
 			.get_auth_type = _get_auth_type,
@@ -656,8 +683,10 @@ tnccs_t* tnccs_11_create(bool is_server,
 			.get_ref = _get_ref,
 		},
 		.is_server = is_server,
-		.server = server->clone(server),
-		.peer = peer->clone(peer),
+		.server_id = server_id->clone(server_id),
+		.peer_id = peer_id->clone(peer_id),
+		.server_ip = server_ip->clone(server_ip),
+		.peer_ip = peer_ip->clone(peer_ip),
 		.transport = transport,
 		.callback = cb,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.h b/src/libtnccs/plugins/tnccs_11/tnccs_11.h
index e805df8bb..60d5518bc 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.h
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -29,14 +29,17 @@
  * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
  *
  * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
- * @param server		Server identity
- * @param peer			Client identity
+ * @param server_id		Server identity
+ * @param peer_id		Client identity
+ * @param server_ip		Server IP address
+ * @param peer_ip		Client IP address
  * @param transport		Underlying IF-T transport protocol
  * @param cb			Callback function if TNC Server, NULL if TNC Client
  * @return				TNC_IF_TNCCS 1.1 protocol stack
  */
-tnccs_t* tnccs_11_create(bool is_server,
-						 identification_t *server, identification_t *peer,
-						 tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id,
+						 identification_t *peer_id, host_t *server_ip,
+						 host_t *peer_ip, tnc_ift_type_t transport,
+						 tnccs_cb_t cb);
 
 #endif /** TNCCS_11_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h b/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h
index 619a073ad..73ea5759b 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tnccs_11 tnccs_11
- * @ingroup cplugins
+ * @ingroup tplugins
  *
  * @defgroup tnccs_11_plugin tnccs_11_plugin
  * @{ @ingroup tnccs_11
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.am b/src/libtnccs/plugins/tnccs_20/Makefile.am
index 2aefecd26..7d1cdded1 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.am
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.am
@@ -18,6 +18,8 @@ endif
 
 libstrongswan_tnccs_20_la_SOURCES = \
 	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \
+	tnccs_20_handler.h \
+	tnccs_20_server.h tnccs_20_server.c tnccs_20_client.h tnccs_20_client.c \
 	batch/pb_tnc_batch.h batch/pb_tnc_batch.c \
 	messages/pb_tnc_msg.h messages/pb_tnc_msg.c \
 	messages/ietf/pb_experimental_msg.h messages/ietf/pb_experimental_msg.c \
@@ -28,6 +30,8 @@ libstrongswan_tnccs_20_la_SOURCES = \
 	messages/ietf/pb_language_preference_msg.h messages/ietf/pb_language_preference_msg.c \
 	messages/ietf/pb_reason_string_msg.h messages/ietf/pb_reason_string_msg.c \
 	messages/ietf/pb_remediation_parameters_msg.h messages/ietf/pb_remediation_parameters_msg.c \
+	messages/ita/pb_mutual_capability_msg.h messages/ita/pb_mutual_capability_msg.c \
+	messages/ita/pb_noskip_test_msg.h messages/ita/pb_noskip_test_msg.c \
 	messages/tcg/pb_pdp_referral_msg.h messages/tcg/pb_pdp_referral_msg.c \
 	state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c
 
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 90c804710..17d997f76 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -132,8 +132,8 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@	$(top_builddir)/src/libtnccs/libtnccs.la
 am__dirstamp = $(am__leading_dot)dirstamp
 am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \
-	batch/pb_tnc_batch.lo messages/pb_tnc_msg.lo \
-	messages/ietf/pb_experimental_msg.lo \
+	tnccs_20_server.lo tnccs_20_client.lo batch/pb_tnc_batch.lo \
+	messages/pb_tnc_msg.lo messages/ietf/pb_experimental_msg.lo \
 	messages/ietf/pb_pa_msg.lo \
 	messages/ietf/pb_assessment_result_msg.lo \
 	messages/ietf/pb_access_recommendation_msg.lo \
@@ -141,6 +141,8 @@ am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \
 	messages/ietf/pb_language_preference_msg.lo \
 	messages/ietf/pb_reason_string_msg.lo \
 	messages/ietf/pb_remediation_parameters_msg.lo \
+	messages/ita/pb_mutual_capability_msg.lo \
+	messages/ita/pb_noskip_test_msg.lo \
 	messages/tcg/pb_pdp_referral_msg.lo \
 	state_machine/pb_tnc_state_machine.lo
 libstrongswan_tnccs_20_la_OBJECTS =  \
@@ -242,6 +244,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -302,10 +305,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -379,6 +384,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -454,6 +461,8 @@ AM_CFLAGS = \
 
 libstrongswan_tnccs_20_la_SOURCES = \
 	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \
+	tnccs_20_handler.h \
+	tnccs_20_server.h tnccs_20_server.c tnccs_20_client.h tnccs_20_client.c \
 	batch/pb_tnc_batch.h batch/pb_tnc_batch.c \
 	messages/pb_tnc_msg.h messages/pb_tnc_msg.c \
 	messages/ietf/pb_experimental_msg.h messages/ietf/pb_experimental_msg.c \
@@ -464,6 +473,8 @@ libstrongswan_tnccs_20_la_SOURCES = \
 	messages/ietf/pb_language_preference_msg.h messages/ietf/pb_language_preference_msg.c \
 	messages/ietf/pb_reason_string_msg.h messages/ietf/pb_reason_string_msg.c \
 	messages/ietf/pb_remediation_parameters_msg.h messages/ietf/pb_remediation_parameters_msg.c \
+	messages/ita/pb_mutual_capability_msg.h messages/ita/pb_mutual_capability_msg.c \
+	messages/ita/pb_noskip_test_msg.h messages/ita/pb_noskip_test_msg.c \
 	messages/tcg/pb_pdp_referral_msg.h messages/tcg/pb_pdp_referral_msg.c \
 	state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c
 
@@ -590,6 +601,17 @@ messages/ietf/pb_reason_string_msg.lo: messages/ietf/$(am__dirstamp) \
 messages/ietf/pb_remediation_parameters_msg.lo:  \
 	messages/ietf/$(am__dirstamp) \
 	messages/ietf/$(DEPDIR)/$(am__dirstamp)
+messages/ita/$(am__dirstamp):
+	@$(MKDIR_P) messages/ita
+	@: > messages/ita/$(am__dirstamp)
+messages/ita/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) messages/ita/$(DEPDIR)
+	@: > messages/ita/$(DEPDIR)/$(am__dirstamp)
+messages/ita/pb_mutual_capability_msg.lo:  \
+	messages/ita/$(am__dirstamp) \
+	messages/ita/$(DEPDIR)/$(am__dirstamp)
+messages/ita/pb_noskip_test_msg.lo: messages/ita/$(am__dirstamp) \
+	messages/ita/$(DEPDIR)/$(am__dirstamp)
 messages/tcg/$(am__dirstamp):
 	@$(MKDIR_P) messages/tcg
 	@: > messages/tcg/$(am__dirstamp)
@@ -618,6 +640,8 @@ mostlyclean-compile:
 	-rm -f messages/*.lo
 	-rm -f messages/ietf/*.$(OBJEXT)
 	-rm -f messages/ietf/*.lo
+	-rm -f messages/ita/*.$(OBJEXT)
+	-rm -f messages/ita/*.lo
 	-rm -f messages/tcg/*.$(OBJEXT)
 	-rm -f messages/tcg/*.lo
 	-rm -f state_machine/*.$(OBJEXT)
@@ -627,7 +651,9 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_client.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_server.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@batch/$(DEPDIR)/pb_tnc_batch.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@messages/$(DEPDIR)/pb_tnc_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_access_recommendation_msg.Plo@am__quote@
@@ -638,6 +664,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_pa_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_reason_string_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_remediation_parameters_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@messages/ita/$(DEPDIR)/pb_mutual_capability_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@messages/ita/$(DEPDIR)/pb_noskip_test_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@messages/tcg/$(DEPDIR)/pb_pdp_referral_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@state_machine/$(DEPDIR)/pb_tnc_state_machine.Plo@am__quote@
 
@@ -673,6 +701,7 @@ clean-libtool:
 	-rm -rf batch/.libs batch/_libs
 	-rm -rf messages/.libs messages/_libs
 	-rm -rf messages/ietf/.libs messages/ietf/_libs
+	-rm -rf messages/ita/.libs messages/ita/_libs
 	-rm -rf messages/tcg/.libs messages/tcg/_libs
 	-rm -rf state_machine/.libs state_machine/_libs
 
@@ -797,6 +826,8 @@ distclean-generic:
 	-rm -f messages/$(am__dirstamp)
 	-rm -f messages/ietf/$(DEPDIR)/$(am__dirstamp)
 	-rm -f messages/ietf/$(am__dirstamp)
+	-rm -f messages/ita/$(DEPDIR)/$(am__dirstamp)
+	-rm -f messages/ita/$(am__dirstamp)
 	-rm -f messages/tcg/$(DEPDIR)/$(am__dirstamp)
 	-rm -f messages/tcg/$(am__dirstamp)
 	-rm -f state_machine/$(DEPDIR)/$(am__dirstamp)
@@ -811,7 +842,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
 	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
-	-rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/ita/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -857,7 +888,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/ita/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
index 228c08255..faad02b9b 100644
--- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -85,7 +85,7 @@ struct private_pb_tnc_batch_t {
 	pb_tnc_batch_t public;
 
 	/**
-	 * TNCC if TRUE, TNCS if FALSE
+	 * from TNC server if TRUE, from TNC client if FALSE
 	 */
 	bool is_server;
 
@@ -166,6 +166,9 @@ METHOD(pb_tnc_batch_t, add_msg, bool,
 		case PEN_TCG:
 			msg_type_names = pb_tnc_tcg_msg_type_names;
 			break;
+		case PEN_ITA:
+			msg_type_names = pb_tnc_ita_msg_type_names;
+			break;
 	}
 	DBG2(DBG_TNC, "adding %N/%N message", pen_names, msg_type.vendor_id,
 										  msg_type_names, msg_type.type);
@@ -176,6 +179,7 @@ METHOD(pb_tnc_batch_t, add_msg, bool,
 METHOD(pb_tnc_batch_t, build, void,
 	private_pb_tnc_batch_t *this)
 {
+	u_int8_t version;
 	u_int32_t msg_len;
 	chunk_t msg_value;
 	enumerator_t *enumerator;
@@ -184,9 +188,14 @@ METHOD(pb_tnc_batch_t, build, void,
 	pb_tnc_msg_info_t *msg_infos;
 	bio_writer_t *writer;
 
+	/* Set wrong PB-TNC version for testing purposes to force a PB-TNC error */
+	version = lib->settings->get_int(lib->settings,
+						"%s.plugins.tnccs-20.tests.pb_tnc_version",
+						 PB_TNC_VERSION, lib->ns);
+
 	/* build PB-TNC batch header */
 	writer = bio_writer_create(this->batch_len);
-	writer->write_uint8 (writer, PB_TNC_VERSION);
+	writer->write_uint8 (writer, version);
 	writer->write_uint8 (writer, this->is_server ?
 								 PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
 	writer->write_uint16(writer, this->type);
@@ -211,6 +220,9 @@ METHOD(pb_tnc_batch_t, build, void,
 			case PEN_TCG:
 				msg_infos = pb_tnc_tcg_msg_infos;
 				break;
+			case PEN_ITA:
+				msg_infos = pb_tnc_ita_msg_infos;
+				break;
 		}
 		if (msg_infos[msg_type.type].has_noskip_flag)
 		{
@@ -228,15 +240,15 @@ METHOD(pb_tnc_batch_t, build, void,
 	writer->destroy(writer);
 }
 
-static status_t process_batch_header(private_pb_tnc_batch_t *this,
-									 pb_tnc_state_machine_t *state_machine)
+METHOD(pb_tnc_batch_t, process_header, status_t,
+	private_pb_tnc_batch_t *this, bool directionality, bool is_server,
+	bool *from_server)
 {
 	bio_reader_t *reader;
 	pb_tnc_msg_t *msg;
 	pb_error_msg_t *err_msg;
 	u_int8_t version, flags, reserved, type;
 	u_int32_t batch_len;
-	bool directionality;
 
 	if (this->encoding.len < PB_TNC_BATCH_HEADER_SIZE)
 	{
@@ -267,13 +279,14 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
 	}
 
 	/* Directionality */
-	directionality = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE;
-	if (directionality == this->is_server)
+	*from_server = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE;
+
+	if (directionality & (*from_server == is_server))
 	{
 		DBG1(DBG_TNC, "wrong Directionality: batch is from a PB %s",
-			 directionality ? "server" : "client");
+					   is_server ? "server" : "client");
 		msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
-							PB_ERROR_INVALID_PARAMETER, 1);
+					   PB_ERROR_INVALID_PARAMETER, 1);
 		goto fatal;
 	}
 
@@ -287,17 +300,6 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
 		goto fatal;
 	}
 
-	if (!state_machine->receive_batch(state_machine, this->type))
-	{
-		DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N",
-					   pb_tnc_batch_type_names, this->type);
-		msg = pb_error_msg_create(TRUE, PEN_IETF,
-								  PB_ERROR_UNEXPECTED_BATCH_TYPE);
-		goto fatal;
-	}
-	DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names,
-												this->type);
-
 	/* Batch Length */
 	if (this->encoding.len != batch_len)
 	{
@@ -310,12 +312,6 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
 
 	this->offset = PB_TNC_BATCH_HEADER_SIZE;
 
-	/* Register an empty CDATA batch with the state machine */
-	if (this->type == PB_BATCH_CDATA)
-	{
-		state_machine->set_empty_cdata(state_machine,
-									   this->offset == this->encoding.len);
-	}
 	return SUCCESS;
 
 fatal:
@@ -395,11 +391,18 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 		msg_type_names = pb_tnc_msg_type_names;
 		msg_infos = pb_tnc_msg_infos;
 	}
-	else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF)
+	else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF &&
+									 msg_type >  PB_TCG_MSG_RESERVED)
 	{
 		msg_type_names = pb_tnc_tcg_msg_type_names;
 		msg_infos = pb_tnc_tcg_msg_infos;
 	}
+	else if (vendor_id == PEN_ITA && msg_type <= PB_ITA_MSG_ROOF &&
+									 msg_type >  PB_ITA_MSG_NOSKIP_TEST)
+	{
+		msg_type_names = pb_tnc_ita_msg_type_names;
+		msg_infos = pb_tnc_ita_msg_infos;
+	}
 	else
 	{
 		if (msg_len < PB_TNC_MSG_HEADER_SIZE)
@@ -413,7 +416,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 
 		if (noskip_flag)
 		{
-			DBG1(DBG_TNC, "reject PB-TNC message 0x%06x/0x%08x)",
+			DBG1(DBG_TNC, "reject PB-TNC message (0x%06x/0x%08x)",
 						   vendor_id, msg_type);
 			msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
 							PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
@@ -421,7 +424,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 		}
 		else
 		{
-			DBG1(DBG_TNC, "ignore PB-TNC message 0x%06x/0x%08x)",
+			DBG1(DBG_TNC, "ignore PB-TNC message (0x%06x/0x%08x)",
 						   vendor_id, msg_type);
 			this->offset += msg_len;
 			return SUCCESS;
@@ -502,14 +505,26 @@ fatal:
 METHOD(pb_tnc_batch_t, process, status_t,
 	private_pb_tnc_batch_t *this, pb_tnc_state_machine_t *state_machine)
 {
-	status_t status;
+	pb_tnc_msg_t *msg;
+	status_t status = SUCCESS;
 
-	status = process_batch_header(this, state_machine);
-	if (status != SUCCESS)
+	if (!state_machine->receive_batch(state_machine, this->type))
 	{
+		DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N",
+					   pb_tnc_batch_type_names, this->type);
+		msg = pb_error_msg_create(TRUE, PEN_IETF,
+								  PB_ERROR_UNEXPECTED_BATCH_TYPE);
+		this->errors->insert_last(this->errors, msg);
 		return FAILED;
 	}
 
+	/* Register an empty CDATA batch with the state machine */
+	if (this->type == PB_BATCH_CDATA)
+	{
+		state_machine->set_empty_cdata(state_machine,
+									   this->offset == this->encoding.len);
+	}
+
 	while (this->offset < this->encoding.len)
 	{
 		switch (process_tnc_msg(this))
@@ -585,7 +600,7 @@ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type,
 /**
  * See header
  */
-pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data)
+pb_tnc_batch_t* pb_tnc_batch_create_from_data(chunk_t data)
 {
 	private_pb_tnc_batch_t *this;
 
@@ -595,12 +610,12 @@ pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data)
 			.get_encoding = _get_encoding,
 			.add_msg = _add_msg,
 			.build = _build,
+			.process_header = _process_header,
 			.process = _process,
 			.create_msg_enumerator = _create_msg_enumerator,
 			.create_error_enumerator = _create_error_enumerator,
 			.destroy = _destroy,
 		},
-		.is_server = is_server,
 		.messages = linked_list_create(),
 		.errors = linked_list_create(),
 		.encoding = chunk_clone(data),
diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h
index 106c5578c..6089c7d2e 100644
--- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h
+++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -84,10 +84,21 @@ struct pb_tnc_batch_t {
 	void (*build)(pb_tnc_batch_t *this);
 
 	/**
+	 * Process the PB-TNC Batch header
+	 *
+	 * @param directionality	TRUE if no mutual TNC measurements
+	 * @param is_server			TRUE if called by TNC server
+	 * @param from_server		TRUE if sent by TNC server
+	 * @return					return processing status
+	 */
+	status_t (*process_header)(pb_tnc_batch_t *this, bool directionality,
+							   bool is_server, bool *from_server);
+
+	/**
 	 * Process the PB-TNC Batch
 	 *
-	 * @param				PB-TNC state machine
-	 * @return				return processing status
+	 * @param state_machine		PB-TNC state machine
+	 * @return					return processing status
 	 */
 	status_t (*process)(pb_tnc_batch_t *this,
 						pb_tnc_state_machine_t *state_machine);
@@ -95,14 +106,14 @@ struct pb_tnc_batch_t {
 	/**
 	 * Enumerates over all PB-TNC Messages
 	 *
-	 * @return				return message enumerator
+	 * @return					return message enumerator
 	 */
 	enumerator_t* (*create_msg_enumerator)(pb_tnc_batch_t *this);
 
 	/**
 	 * Enumerates over all parsing errors
 	 *
-	 * @return				return error enumerator
+	 * @return					return error enumerator
 	 */
 	enumerator_t* (*create_error_enumerator)(pb_tnc_batch_t *this);
 
@@ -115,9 +126,9 @@ struct pb_tnc_batch_t {
 /**
  * Create an empty PB-TNC Batch of a given type
  *
- * @param is_server			TRUE if server, FALSE if client
- * @param type				PB-TNC batch type
- * @param max_batch_len		maximum size the PB-TNC batch
+ * @param is_server				TRUE if server, FALSE if client
+ * @param type					PB-TNC batch type
+ * @param max_batch_len			maximum size the PB-TNC batch
  */
 pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type,
 									size_t max_batch_len);
@@ -125,9 +136,8 @@ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type,
 /**
  * Create an unprocessed PB-TNC Batch from data
  *
- * @param is_server			TRUE if server, FALSE if client
  * @param  data				encoded PB-TNC batch
  */
-pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data);
+pb_tnc_batch_t* pb_tnc_batch_create_from_data(chunk_t data);
 
 #endif /** PB_TNC_BATCH_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c
new file mode 100644
index 000000000..1f35cae6b
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_mutual_capability_msg.h"
+
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+ENUM(pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX,
+										PB_MUTUAL_FULL_DUPLEX,
+	"half duplex",
+	"full duplex"
+);
+
+typedef struct private_pb_mutual_capability_msg_t private_pb_mutual_capability_msg_t;
+
+/**
+ *   PB-Mutual-Capability message
+ *
+ *    0                   1                   2                   3
+ *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |H|F|                      Reserved                             |
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+# define MUTUAL_CAPABILITY_HEADER_SIZE		4
+
+/**
+ * Private data of a pb_mutual_capability_msg_t object.
+ *
+ */
+struct private_pb_mutual_capability_msg_t {
+	/**
+	 * Public pb_mutual_capability_msg_t interface.
+	 */
+	pb_mutual_capability_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pen_type_t type;
+
+	/**
+	 * PB-TNC mutual protocols
+	 */
+	uint32_t protocols;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pen_type_t,
+	private_pb_mutual_capability_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_mutual_capability_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_mutual_capability_msg_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->encoding.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(MUTUAL_CAPABILITY_HEADER_SIZE);
+	writer->write_uint32(writer, this->protocols);
+
+	this->encoding = writer->get_buf(writer);
+	this->encoding = chunk_clone(this->encoding);
+	writer->destroy(writer);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_mutual_capability_msg_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+
+	*offset = 0;
+
+	/* process message */
+	reader = bio_reader_create(this->encoding);
+	reader->read_uint32(reader, &this->protocols);
+	reader->destroy(reader);
+
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_mutual_capability_msg_t *this)
+{
+	free(this->encoding.ptr);
+	free(this);
+}
+
+METHOD(pb_mutual_capability_msg_t, get_protocols, uint32_t,
+	private_pb_mutual_capability_msg_t *this)
+{
+	return this->protocols;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t* pb_mutual_capability_msg_create(uint32_t protocols)
+{
+	private_pb_mutual_capability_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_protocols = _get_protocols,
+		},
+		.type = { PEN_ITA, PB_ITA_MSG_MUTUAL_CAPABILITY },
+		.protocols = protocols,
+	);
+
+	return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_mutual_capability_msg_create_from_data(chunk_t data)
+{
+	private_pb_mutual_capability_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_protocols = _get_protocols,
+		},
+		.type = { PEN_ITA, PB_ITA_MSG_MUTUAL_CAPABILITY },
+		.encoding = chunk_clone(data),
+	);
+
+	return &this->public.pb_interface;
+}
+
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h
new file mode 100644
index 000000000..db810a012
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_mutual_capability_msg pb_mutual_capability_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_MUTUAL_CAPABILITY_MSG_H_
+#define PB_MUTUAL_CAPABILITY_MSG_H_
+
+typedef enum pb_tnc_mutual_protocol_type_t pb_tnc_mutual_protocol_type_t;
+typedef struct pb_mutual_capability_msg_t pb_mutual_capability_msg_t;
+
+#include "messages/pb_tnc_msg.h"
+
+/**
+ * PB-TNC mutual protocol types
+ */
+enum pb_tnc_mutual_protocol_type_t {
+	PB_MUTUAL_HALF_DUPLEX =	(1 << 31),
+	PB_MUTUAL_FULL_DUPLEX =	(1 << 30)
+};
+
+/**
+ * enum name for pb_mutual_protocol_type_t.
+ */
+extern enum_name_t *pb_tnc_mutual_protocol_type_names;
+
+/**
+ * Class representing the PB-Mutual-Capabilities message type.
+ */
+struct pb_mutual_capability_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+
+	/**
+	 * Get the PB-TNC mutual protocol types
+	 *
+	 * @return				PB-TNC mutual protocol types
+	 */
+	uint32_t(*get_protocols)(pb_mutual_capability_msg_t *this);
+
+};
+
+/**
+ * Create a PB-Mutual-Capability message
+ *
+ * @param protocols			Supported PB-TNC mutual protocols
+ */
+pb_tnc_msg_t* pb_mutual_capability_msg_create(uint32_t protocols);
+
+/**
+ * Create an unprocessed PB-Mutual-Capability message from raw data
+ *
+  * @param data		PB-Mutual-Capability message data
+ */
+pb_tnc_msg_t* pb_mutual_capability_msg_create_from_data(chunk_t data);
+
+#endif /** PB_MUTUAL_CAPABILITY_MSG_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c
new file mode 100644
index 000000000..c95222e3a
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_noskip_test_msg.h"
+
+typedef struct private_pb_noskip_test_msg_t private_pb_noskip_test_msg_t;
+
+/**
+ * Private data of a pb_noskip_test_msg_t object.
+ *
+ */
+struct private_pb_noskip_test_msg_t {
+	/**
+	 * Public pb_noskip_test_msg_t interface.
+	 */
+	pb_noskip_test_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pen_type_t,
+	private_pb_noskip_test_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_noskip_test_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_noskip_test_msg_t *this)
+{
+	/* nothing to do since the message is empty */
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_noskip_test_msg_t *this, u_int32_t *offset)
+{
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_noskip_test_msg_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_noskip_test_msg_create(void)
+{
+	private_pb_noskip_test_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, PB_ITA_MSG_NOSKIP_TEST },
+	);
+
+	return &this->public.pb_interface;
+}
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h
new file mode 100644
index 000000000..6325582da
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_noskip_test_msg pb_noskip_test_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_NOSKIP_TEST_MSG_H_
+#define PB_NOSKIP_TEST_MSG_H_
+
+typedef struct pb_noskip_test_msg_t pb_noskip_test_msg_t;
+
+#include "messages/pb_tnc_msg.h"
+
+/**
+ * Class representing the PB-Noskip-Test message type.
+ */
+struct pb_noskip_test_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+};
+
+/**
+ * Create a PB-Noskip-Test message from parameters
+ */
+pb_tnc_msg_t* pb_noskip_test_msg_create(void);
+
+#endif /** PB_NOSKIP_TEST_MSG_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
index ec43490f4..b46c776e4 100644
--- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
+++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
@@ -22,6 +22,7 @@
 #include "ietf/pb_access_recommendation_msg.h"
 #include "ietf/pb_remediation_parameters_msg.h"
 #include "ietf/pb_reason_string_msg.h"
+#include "ita/pb_mutual_capability_msg.h"
 #include "tcg/pb_pdp_referral_msg.h"
 
 #include <library.h>
@@ -37,10 +38,17 @@ ENUM(pb_tnc_msg_type_names, PB_MSG_EXPERIMENTAL, PB_MSG_REASON_STRING,
 	"PB-Reason-String"
 );
 
-ENUM(pb_tnc_tcg_msg_type_names, PB_TCG_MSG_PDP_REFERRAL, PB_TCG_MSG_PDP_REFERRAL,
+ENUM(pb_tnc_tcg_msg_type_names, PB_TCG_MSG_PDP_REFERRAL,
+								PB_TCG_MSG_PDP_REFERRAL,
 	"PB-PDP-Referral"
 );
 
+ENUM(pb_tnc_ita_msg_type_names, PB_ITA_MSG_NOSKIP_TEST,
+								PB_ITA_MSG_MUTUAL_CAPABILITY,
+	"PB-Noskip-Test",
+	"PB-Mutual-Capability"
+);
+
 pb_tnc_msg_info_t pb_tnc_msg_infos[] = {
 	{ 12, FALSE, FALSE, TRUE_OR_FALSE },
 	{ 24, FALSE, FALSE, TRUE  },
@@ -57,6 +65,11 @@ pb_tnc_msg_info_t pb_tnc_tcg_msg_infos[] = {
 	{ 20, FALSE, FALSE,  FALSE },
 };
 
+pb_tnc_msg_info_t pb_tnc_ita_msg_infos[] = {
+	{ 12, TRUE,  FALSE,  TRUE  },
+	{ 16, FALSE, FALSE,  FALSE },
+};
+
 /**
  * See header
  */
@@ -91,5 +104,12 @@ pb_tnc_msg_t* pb_tnc_msg_create_from_data(pen_type_t msg_type, chunk_t value)
 			return pb_pdp_referral_msg_create_from_data(value);
 		}
 	}
+	else if (msg_type.vendor_id == PEN_ITA)
+	{
+		if (msg_type.type == PB_ITA_MSG_MUTUAL_CAPABILITY)
+		{
+			return pb_mutual_capability_msg_create_from_data(value);
+		}
+	}
 	return NULL;
 }
diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
index 6eeed5156..35b0b7c26 100644
--- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
+++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
@@ -54,6 +54,7 @@ extern enum_name_t *pb_tnc_msg_type_names;
  * PB-TNC Message Type defined in the TCG namespace
  */
 enum pb_tnc_tcg_msg_type_t {
+	PB_TCG_MSG_RESERVED =				0,
 	PB_TCG_MSG_PDP_REFERRAL =			1,
 	PB_TCG_MSG_ROOF =					1
 };
@@ -64,6 +65,20 @@ enum pb_tnc_tcg_msg_type_t {
 extern enum_name_t *pb_tnc_tcg_msg_type_names;
 
 /**
+ * PB-TNC Message Type defined in the ITA namespace
+ */
+enum pb_tnc_ita_msg_type_t {
+	PB_ITA_MSG_NOSKIP_TEST =			0,
+	PB_ITA_MSG_MUTUAL_CAPABILITY =		1,
+	PB_ITA_MSG_ROOF =					1
+};
+
+/**
+ * enum name for pb_tnc_tcg_msg_type_t.
+ */
+extern enum_name_t *pb_tnc_ita_msg_type_names;
+
+/**
  * Information entry describing a PB-TNC Message Type
  */
 struct pb_tnc_msg_info_t {
@@ -86,6 +101,11 @@ extern pb_tnc_msg_info_t pb_tnc_msg_infos[];
 extern pb_tnc_msg_info_t pb_tnc_tcg_msg_infos[];
 
 /**
+ * Information on PB-TNC ITA Message Types
+ */
+extern pb_tnc_msg_info_t pb_tnc_ita_msg_infos[];
+
+/**
  * Generic interface for all PB-TNC message types.
  *
  * To handle all messages in a generic way, this interface
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
index dc4da51c6..a1a95733f 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,30 +15,17 @@
  */
 
 #include "tnccs_20.h"
+#include "tnccs_20_handler.h"
+#include "tnccs_20_server.h"
+#include "tnccs_20_client.h"
 #include "batch/pb_tnc_batch.h"
 #include "messages/pb_tnc_msg.h"
 #include "messages/ietf/pb_pa_msg.h"
-#include "messages/ietf/pb_error_msg.h"
-#include "messages/ietf/pb_assessment_result_msg.h"
-#include "messages/ietf/pb_access_recommendation_msg.h"
-#include "messages/ietf/pb_remediation_parameters_msg.h"
-#include "messages/ietf/pb_reason_string_msg.h"
-#include "messages/ietf/pb_language_preference_msg.h"
-#include "messages/tcg/pb_pdp_referral_msg.h"
-#include "state_machine/pb_tnc_state_machine.h"
 
 #include <tncif_names.h>
 #include <tncif_pa_subtypes.h>
 
-#include <tnc/tnc.h>
-#include <tnc/tnccs/tnccs_manager.h>
-#include <tnc/imc/imc_manager.h>
-#include <tnc/imv/imv_manager.h>
-
-#include <threading/mutex.h>
 #include <utils/debug.h>
-#include <collections/linked_list.h>
-#include <pen/pen.h>
 
 typedef struct private_tnccs_20_t private_tnccs_20_t;
 
@@ -60,77 +47,72 @@ struct private_tnccs_20_t {
 	/**
 	 * Server identity
 	 */
-	identification_t *server;
+	identification_t *server_id;
 
 	/**
 	 * Client identity
 	 */
-	identification_t *peer;
+	identification_t *peer_id;
 
 	/**
-	 * Underlying TNC IF-T transport protocol
+	 * Server IP address
 	 */
-	tnc_ift_type_t transport;
+	host_t *server_ip;
 
 	/**
-	 * Type of TNC client authentication
+	 * Client IP address
 	 */
-	u_int32_t auth_type;
+	host_t *peer_ip;
 
 	/**
-	 * PB-TNC State Machine
+	 * Underlying TNC IF-T transport protocol
 	 */
-	pb_tnc_state_machine_t *state_machine;
+	tnc_ift_type_t transport;
 
 	/**
-	 * Connection ID assigned to this TNCCS connection
+	 *  TNC IF-T transport protocol for EAP methods
 	 */
-	TNC_ConnectionID connection_id;
+	bool eap_transport;
 
 	/**
-	 * PB-TNC messages to be sent
+	 * Type of TNC client authentication
 	 */
-	linked_list_t *messages;
+	u_int32_t auth_type;
 
 	/**
-	 * Type of PB-TNC batch being constructed
+	 * Mutual PB-TNC protocol enabled
 	 */
-	pb_tnc_batch_type_t batch_type;
+	bool mutual;
 
 	/**
-	 * Maximum PB-TNC batch size
+	 * Direction the next batch will go to
 	 */
-	size_t max_batch_len;
+	bool to_server;
 
 	/**
-	 * Maximum PA-TNC message size
+	 * TNC Server
 	 */
-	size_t max_msg_len;
+	tnccs_20_handler_t *tnc_server;
 
 	/**
-	 * Mutex locking the batch in construction
+	 * TNC Client
 	 */
-	mutex_t *mutex;
+	tnccs_20_handler_t *tnc_client;
 
 	/**
-	 * Flag set while processing
+	 * Active TNCSS handler
 	 */
-	bool fatal_error;
+	tnccs_20_handler_t *tnccs_handler;
 
 	/**
-	 * Flag set by IMC/IMV RequestHandshakeRetry() function
+	 * Maximum PB-TNC batch size
 	 */
-	bool request_handshake_retry;
-
-	/**
-	  * SendMessage() by IMC/IMV only allowed if flag is set
-	  */
-	bool send_msg;
+	size_t max_batch_len;
 
 	/**
-	 * Set of IMV recommendations  (TNC Server only)
+	 * Maximum PA-TNC message size
 	 */
-	recommendations_t *recs;
+	size_t max_msg_len;
 
 	/**
 	 * Callback function to communicate recommendation (TNC Server only)
@@ -138,69 +120,30 @@ struct private_tnccs_20_t {
 	tnccs_cb_t callback;
 
 	/**
-	 * Data to pass to callback function (TNC Server only)
-	 */
-	void *cb_data;
-
-	/**
-	 * PDP server FQDN
-	 */
-	chunk_t pdp_server;
-
-	/**
-	 * PDP server port
-	 */
-	u_int16_t pdp_port;
-
-	/**
 	 * reference count
 	 */
 	refcount_t ref;
 
 };
 
-/**
- * If the batch type changes then delete all accumulated PB-TNC messages
- */
-void change_batch_type(private_tnccs_20_t *this, pb_tnc_batch_type_t batch_type)
-{
-	pb_tnc_msg_t *msg;
-
-	if (batch_type != this->batch_type)
-	{
-		if (this->batch_type != PB_BATCH_NONE)
-		{
-			DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
-				 pb_tnc_batch_type_names, this->batch_type);
-
-			while (this->messages->remove_last(this->messages,
-											  (void**)&msg) == SUCCESS)
-			{
-				msg->destroy(msg);
-			}
-		}
-		this->batch_type = batch_type;
-	}
-}
-
 METHOD(tnccs_t, send_msg, TNC_Result,
 	private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
-						      TNC_UInt32 msg_flags,
+							  TNC_UInt32 msg_flags,
 							  TNC_BufferReference msg,
 							  TNC_UInt32 msg_len,
-						      TNC_VendorID msg_vid,
-						      TNC_MessageSubtype msg_subtype)
+							  TNC_VendorID msg_vid,
+							  TNC_MessageSubtype msg_subtype)
 {
 	pb_tnc_msg_t *pb_tnc_msg;
-	pb_tnc_batch_type_t batch_type;
 	enum_name_t *pa_subtype_names;
 	bool excl;
 
-	if (!this->send_msg)
+	if (!this->tnccs_handler->get_send_flag(this->tnccs_handler))
 	{
 		DBG1(DBG_TNC, "%s %u not allowed to call SendMessage()",
-			this->is_server ? "IMV" : "IMC",
-			this->is_server ? imv_id : imc_id);
+					   this->to_server ? "IMC" : "IMV",
+					   this->to_server ? imc_id : imv_id);
+
 		return TNC_RESULT_ILLEGAL_OPERATION;
 	}
 	excl = (msg_flags & TNC_MESSAGE_FLAGS_EXCLUSIVE) != 0;
@@ -220,698 +163,169 @@ METHOD(tnccs_t, send_msg, TNC_Result,
 		DBG2(DBG_TNC, "creating PB-PA message type '%N' 0x%06x/0x%08x",
 					   pen_names, msg_vid, msg_vid, msg_subtype);
 	}
+	this->tnccs_handler->add_msg(this->tnccs_handler, pb_tnc_msg);
 
-	/* adding PA message to SDATA or CDATA batch only */
-	batch_type = this->is_server ? PB_BATCH_SDATA : PB_BATCH_CDATA;
-	this->mutex->lock(this->mutex);
-	if (this->batch_type == PB_BATCH_NONE)
-	{
-		this->batch_type = batch_type;
-	}
-	if (this->batch_type == batch_type)
-	{
-		this->messages->insert_last(this->messages, pb_tnc_msg);
-	}
-	else
-	{
-		pb_tnc_msg->destroy(pb_tnc_msg);
-	}
-	this->mutex->unlock(this->mutex);
 	return TNC_RESULT_SUCCESS;
 }
 
-/**
- * Handle a single PB-TNC IETF standard message according to its type
- */
-static void handle_ietf_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
-{
-	pen_type_t msg_type = msg->get_type(msg);
-
-	switch (msg_type.type)
-	{
-		case PB_MSG_EXPERIMENTAL:
-			/* nothing to do */
-			break;
-		case PB_MSG_PA:
-		{
-			pb_pa_msg_t *pa_msg;
-			pen_type_t msg_subtype;
-			u_int16_t imc_id, imv_id;
-			chunk_t msg_body;
-			bool excl;
-			enum_name_t *pa_subtype_names;
-
-			pa_msg = (pb_pa_msg_t*)msg;
-			msg_subtype = pa_msg->get_subtype(pa_msg);
-			msg_body = pa_msg->get_body(pa_msg);
-			imc_id = pa_msg->get_collector_id(pa_msg);
-			imv_id = pa_msg->get_validator_id(pa_msg);
-			excl = pa_msg->get_exclusive_flag(pa_msg);
-
-			pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id);
-			if (pa_subtype_names)
-			{
-				DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x",
-					 pen_names, msg_subtype.vendor_id, pa_subtype_names,
-					 msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type);
-			}
-			else
-			{
-				DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x",
-					 pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id,
-					 msg_subtype.type);
-			}
-
-			this->send_msg = TRUE;
-			if (this->is_server)
-			{
-				tnc->imvs->receive_message(tnc->imvs, this->connection_id,
-										   excl, msg_body.ptr, msg_body.len,
-										   msg_subtype.vendor_id,
-										   msg_subtype.type, imc_id, imv_id);
-			}
-			else
-			{
-				tnc->imcs->receive_message(tnc->imcs, this->connection_id,
-										   excl, msg_body.ptr, msg_body.len,
-										   msg_subtype.vendor_id,
-										   msg_subtype.type, imv_id, imc_id);
-			}
-			this->send_msg = FALSE;
-			break;
-		}
-		case PB_MSG_ASSESSMENT_RESULT:
-		{
-			pb_assessment_result_msg_t *assess_msg;
-			u_int32_t result;
-
-			assess_msg = (pb_assessment_result_msg_t*)msg;
-			result = assess_msg->get_assessment_result(assess_msg);
-			DBG1(DBG_TNC, "PB-TNC assessment result is '%N'",
-				 TNC_IMV_Evaluation_Result_names, result);
-			break;
-		}
-		case PB_MSG_ACCESS_RECOMMENDATION:
-		{
-			pb_access_recommendation_msg_t *rec_msg;
-			pb_access_recommendation_code_t rec;
-			TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
-
-			rec_msg = (pb_access_recommendation_msg_t*)msg;
-			rec = rec_msg->get_access_recommendation(rec_msg);
-			DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'",
-						   pb_access_recommendation_code_names, rec);
-			switch (rec)
-			{
-				case PB_REC_ACCESS_ALLOWED:
-					state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
-					break;
-				case PB_REC_ACCESS_DENIED:
-					state = TNC_CONNECTION_STATE_ACCESS_NONE;
-					break;
-				case PB_REC_QUARANTINED:
-					state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
-			}
-			tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
-												state);
-			break;
-		}
-		case PB_MSG_REMEDIATION_PARAMETERS:
-		{
-			pb_remediation_parameters_msg_t *rem_msg;
-			pen_type_t parameters_type;
-			chunk_t parameters, string, lang_code;
-
-			rem_msg = (pb_remediation_parameters_msg_t*)msg;
-			parameters_type = rem_msg->get_parameters_type(rem_msg);
-			parameters = rem_msg->get_parameters(rem_msg);
-
-			if (parameters_type.vendor_id == PEN_IETF)
-			{
-				switch (parameters_type.type)
-				{
-					case PB_REMEDIATION_URI:
-						DBG1(DBG_TNC, "remediation uri: %.*s",
-									   parameters.len, parameters.ptr);
-						break;
-					case PB_REMEDIATION_STRING:
-						string = rem_msg->get_string(rem_msg, &lang_code);
-						DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s",
-									   lang_code.len, lang_code.ptr,
-									   string.len, string.ptr);
-						break;
-					default:
-						DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
-				}
-			}
-			else
-			{
-				DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
-			}
-			break;
-		}
-		case PB_MSG_ERROR:
-		{
-			pb_error_msg_t *err_msg;
-			bool fatal;
-			u_int32_t vendor_id;
-			u_int16_t error_code;
-
-			err_msg = (pb_error_msg_t*)msg;
-			fatal = err_msg->get_fatal_flag(err_msg);
-			vendor_id = err_msg->get_vendor_id(err_msg);
-			error_code = err_msg->get_error_code(err_msg);
-
-			if (fatal)
-			{
-				this->fatal_error = TRUE;
-			}
-
-			if (vendor_id == PEN_IETF)
-			{
-				switch (error_code)
-				{
-					case PB_ERROR_INVALID_PARAMETER:
-					case PB_ERROR_UNSUPPORTED_MANDATORY_MSG:
-						DBG1(DBG_TNC, "received %s PB-TNC error '%N' "
-									  "(offset %u bytes)",
-									  fatal ? "fatal" : "non-fatal",
-									  pb_tnc_error_code_names, error_code,
-									  err_msg->get_offset(err_msg));
-						break;
-					case PB_ERROR_VERSION_NOT_SUPPORTED:
-						DBG1(DBG_TNC, "received %s PB-TNC error '%N' "
-									  "caused by bad version 0x%02x",
-									  fatal ? "fatal" : "non-fatal",
-									  pb_tnc_error_code_names, error_code,
-									  err_msg->get_bad_version(err_msg));
-						break;
-					case PB_ERROR_UNEXPECTED_BATCH_TYPE:
-					case PB_ERROR_LOCAL_ERROR:
-					default:
-						DBG1(DBG_TNC, "received %s PB-TNC error '%N'",
-									  fatal ? "fatal" : "non-fatal",
-									  pb_tnc_error_code_names, error_code);
-						break;
-				}
-			}
-			else
-			{
-				DBG1(DBG_TNC, "received %s PB-TNC error (%u) "
-							  "with Vendor ID 0x%06x",
-							  fatal ? "fatal" : "non-fatal",
-							  error_code, vendor_id);
-			}
-			break;
-		}
-		case PB_MSG_LANGUAGE_PREFERENCE:
-		{
-			pb_language_preference_msg_t *lang_msg;
-			chunk_t lang;
-
-			lang_msg = (pb_language_preference_msg_t*)msg;
-			lang = lang_msg->get_language_preference(lang_msg);
-
-			if (this->recs)
-			{
-				DBG2(DBG_TNC, "setting language preference to '%.*s'",
-					 (int)lang.len, lang.ptr);
-				this->recs->set_preferred_language(this->recs, lang);
-			}
-			break;
-		}
-		case PB_MSG_REASON_STRING:
-		{
-			pb_reason_string_msg_t *reason_msg;
-			chunk_t reason_string, language_code;
-
-			reason_msg = (pb_reason_string_msg_t*)msg;
-			reason_string = reason_msg->get_reason_string(reason_msg);
-			language_code = reason_msg->get_language_code(reason_msg);
-			DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]",
-				 (int)reason_string.len, reason_string.ptr,
-				 (int)language_code.len, language_code.ptr);
-			break;
-		}
-		default:
-			break;
-	}
-}
-
-/**
- * Handle a single PB-TNC TCG standard message according to its type
- */
-static void handle_tcg_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
-{
-	pen_type_t msg_type = msg->get_type(msg);
-
-	switch (msg_type.type)
-	{
-		case PB_TCG_MSG_PDP_REFERRAL:
-		{
-			pb_pdp_referral_msg_t *pdp_msg;
-			pen_type_t pdp_id_type;
-			u_int8_t pdp_protocol;
-
-			pdp_msg = (pb_pdp_referral_msg_t*)msg;
-			pdp_id_type = pdp_msg->get_identifier_type(pdp_msg);
-
-			if (pdp_id_type.vendor_id == PEN_TCG &&
-				pdp_id_type.type == PB_PDP_ID_FQDN)
-			{
-				this->pdp_server = chunk_clone(pdp_msg->get_fqdn(pdp_msg,
-										 &pdp_protocol, &this->pdp_port));
-				if (pdp_protocol != 0)
-				{
-					DBG1(DBG_TNC, "unsupported PDP transport protocol");
-					break;
-				}
-				DBG1(DBG_TNC, "PDP server '%.*s' is listening on port %u",
-							   this->pdp_server.len, this->pdp_server.ptr,
-							   this->pdp_port);
-			}
-			break;
-		}
-		default:
-			break;
-	}
-}
-
-/**
- * Handle a single PB-TNC message according to its type
- */
-static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
-{
-	pen_type_t msg_type = msg->get_type(msg);
-
-	switch (msg_type.vendor_id)
-	{
-		case PEN_IETF:
-			handle_ietf_message(this, msg);
-			break;
-		case PEN_TCG:
-			handle_tcg_message(this, msg);
-			break;
-		default:
-			break;
-	}
-}
-
-/**
- *  Build a CRETRY or SRETRY batch
- */
-static void build_retry_batch(private_tnccs_20_t *this)
-{
-	pb_tnc_batch_type_t batch_retry_type;
-
-	batch_retry_type = this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY;
-	if (this->batch_type == batch_retry_type)
-	{
-		/* retry batch has already been selected */
-		return;
-	}
-
-	change_batch_type(this, batch_retry_type);
-
-	if (this->is_server)
-	{
-		this->recs->clear_recommendation(this->recs);
-		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
-											TNC_CONNECTION_STATE_HANDSHAKE);
-	}
-}
-
 METHOD(tls_t, process, status_t,
 	private_tnccs_20_t *this, void *buf, size_t buflen)
 {
-	chunk_t data;
 	pb_tnc_batch_t *batch;
-	pb_tnc_msg_t *msg;
-	enumerator_t *enumerator;
-	identification_t *pdp_server;
-	u_int16_t *pdp_port;
+	bool from_server, fatal_header_error = FALSE;
 	status_t status;
+	chunk_t data;
 
-	if (this->is_server && !this->connection_id)
+	/* On arrival of first batch from TNC client create TNC server */
+	if (this->is_server && !this->tnc_server)
 	{
-		this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
-									TNCCS_2_0, (tnccs_t*)this, _send_msg,
-									&this->request_handshake_retry,
-									this->max_msg_len, &this->recs);
-		if (!this->connection_id)
+		this->tnc_server = tnccs_20_server_create(&this->public, _send_msg,
+									this->max_batch_len, this->max_msg_len,
+									this->eap_transport);
+		if (!this->tnc_server)
 		{
 			return FAILED;
 		}
-		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
-											TNC_CONNECTION_STATE_CREATE);
-		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
-											TNC_CONNECTION_STATE_HANDSHAKE);
-
-		/* Send a PB-TNC TCG PDP Referral message if PDP is known */
-		pdp_server = (identification_t*)lib->get(lib, "pt-tls-server");
-		pdp_port = (u_int16_t*)lib->get(lib, "pt-tls-port");
-
-		if ((this->transport ==	TNC_IFT_EAP_1_1 ||
-			 this->transport == TNC_IFT_EAP_2_0) &&	pdp_server && pdp_port)
-		{
-			msg = pb_pdp_referral_msg_create_from_fqdn(
-						pdp_server->get_encoding(pdp_server), *pdp_port);
-			this->messages->insert_last(this->messages, msg);
-		}
-
+		this->tnccs_handler = this->tnc_server;
+		this->tnccs_handler->begin_handshake(this->tnccs_handler, FALSE);
 	}
 
 	data = chunk_create(buf, buflen);
-	DBG1(DBG_TNC, "received TNCCS batch (%u bytes) for Connection ID %u",
-				   data.len, this->connection_id);
+	DBG1(DBG_TNC, "received TNCCS batch (%u bytes)", data.len);
 	DBG3(DBG_TNC, "%B", &data);
-	batch = pb_tnc_batch_create_from_data(this->is_server, data);
-	status = batch->process(batch, this->state_machine);
 
-	if (status != FAILED)
+	/* Parse the header of the received PB-TNC batch */
+	batch = pb_tnc_batch_create_from_data(data);
+	status = batch->process_header(batch, !this->mutual, this->is_server,
+								   &from_server);
+	if (status == FAILED)
 	{
-		enumerator_t *enumerator;
-		pb_tnc_msg_t *msg;
-		pb_tnc_batch_type_t batch_type;
-		bool empty = TRUE;
-
-		batch_type = batch->get_type(batch);
-
-		if (batch_type == PB_BATCH_CRETRY)
-		{
-			/* Send an SRETRY batch in response */
-			this->mutex->lock(this->mutex);
-			build_retry_batch(this);
-			this->mutex->unlock(this->mutex);
-		}
-		else if (batch_type == PB_BATCH_SRETRY)
-		{
-			/* Restart the measurements */
-			tnc->imcs->notify_connection_change(tnc->imcs,
-			this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
-			this->send_msg = TRUE;
-			tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
-			this->send_msg = FALSE;
-		}
-
-		enumerator = batch->create_msg_enumerator(batch);
-		while (enumerator->enumerate(enumerator, &msg))
-		{
-			handle_message(this, msg);
-			empty = FALSE;
-		}
-		enumerator->destroy(enumerator);
+		fatal_header_error = TRUE;
+		status = VERIFY_ERROR;
+	}
+	this->to_server = this->mutual ? from_server : !this->is_server;
 
-		/* received an empty CLOSE batch from PB-TNC client */
-		if (this->is_server && batch_type == PB_BATCH_CLOSE && empty)
+	/* In the mutual case, first batch from TNC server requires a TNC client */
+	if (this->to_server && !this->tnc_client)
+	{
+		this->tnc_client = tnccs_20_client_create(&this->public, _send_msg,
+									this->max_batch_len, this->max_msg_len);
+		if (!this->tnc_client)
 		{
 			batch->destroy(batch);
-			if (this->fatal_error)
-			{
-				DBG1(DBG_TNC, "a fatal PB-TNC error occurred, "
-							  "terminating connection");
-				return FAILED;
-			}
-			else
-			{
-				return SUCCESS;
-			}
-		}
-
-		this->send_msg = TRUE;
-		if (this->is_server)
-		{
-			tnc->imvs->batch_ending(tnc->imvs, this->connection_id);
-		}
-		else
-		{
-			tnc->imcs->batch_ending(tnc->imcs, this->connection_id);
+			return FAILED;
 		}
-		this->send_msg = FALSE;
+		this->tnccs_handler = this->tnc_client;
+		this->tnccs_handler->begin_handshake(this->tnccs_handler, this->mutual);
 	}
+	else
+	{
+		/* Set active TNCCS handler for processing */
+		this->tnccs_handler = this->to_server ? this->tnc_client :
+												this->tnc_server;
+	}
+	DBG2(DBG_TNC, "TNC %s is handling inbound connection",
+				   this->to_server ? "client" : "server");
 
-	switch (status)
+	if (status == SUCCESS)
 	{
-		case FAILED:
-			this->fatal_error = TRUE;
-			this->mutex->lock(this->mutex);
-			change_batch_type(this, PB_BATCH_CLOSE);
-			this->mutex->unlock(this->mutex);
-			/* fall through to add error messages to outbound batch */
-		case VERIFY_ERROR:
-			enumerator = batch->create_error_enumerator(batch);
-			while (enumerator->enumerate(enumerator, &msg))
-			{
-				this->mutex->lock(this->mutex);
-				this->messages->insert_last(this->messages, msg->get_ref(msg));
-				this->mutex->unlock(this->mutex);
-			}
-			enumerator->destroy(enumerator);
-			break;
-		case SUCCESS:
-		default:
-			break;
+		status = this->tnccs_handler->process(this->tnccs_handler, batch);
+	}
+	if (status == VERIFY_ERROR)
+	{
+		this->tnccs_handler->handle_errors(this->tnccs_handler, batch,
+										   fatal_header_error);
+		status = NEED_MORE;
 	}
 	batch->destroy(batch);
 
-	return NEED_MORE;
-}
+	/* Has a mutual connection been established? */
+	this->mutual = this->is_server ?
+				   this->tnc_server->get_mutual(this->tnc_server) :
+				   this->tnc_client->get_mutual(this->tnc_client);
 
-/**
- *  Build a RESULT batch if a final recommendation is available
- */
-static void check_and_build_recommendation(private_tnccs_20_t *this)
-{
-	TNC_IMV_Action_Recommendation rec;
-	TNC_IMV_Evaluation_Result eval;
-	TNC_ConnectionState state;
-	TNC_IMVID id;
-	chunk_t reason, language;
-	enumerator_t *enumerator;
-	pb_tnc_msg_t *msg;
-	pb_access_recommendation_code_t pb_rec;
-
-	if (!this->recs->have_recommendation(this->recs, &rec, &eval))
-	{
-		tnc->imvs->solicit_recommendation(tnc->imvs, this->connection_id);
-	}
-	if (this->recs->have_recommendation(this->recs, &rec, &eval))
+	if (this->mutual && !this->is_server)
 	{
-		this->batch_type = PB_BATCH_RESULT;
+		pb_tnc_state_t client_state, server_state;
 
-		msg = pb_assessment_result_msg_create(eval);
-		this->messages->insert_last(this->messages, msg);
+		client_state = !this->tnc_client ? PB_STATE_INIT :
+						this->tnc_client->get_state(this->tnc_client);
+		server_state = !this->tnc_server ? PB_STATE_INIT :
+						this->tnc_server->get_state(this->tnc_server);
 
-		/**
-		 * Map IMV Action Recommendation codes to PB Access Recommendation codes
-		 * and communicate Access Recommendation to IMVs
-		 */
-		switch (rec)
+		/* In half-duplex mutual mode toggle the direction on the client side */
+		if ((!this->to_server && client_state != PB_STATE_DECIDED) ||
+			( this->to_server && server_state != PB_STATE_END))
 		{
-			case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
-				state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
-				pb_rec = PB_REC_ACCESS_ALLOWED;
-				break;
-			case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
-				state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
-				pb_rec = PB_REC_QUARANTINED;
-				break;
-			case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
-			case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
-			default:
-				state = TNC_CONNECTION_STATE_ACCESS_NONE;
-				pb_rec = PB_REC_ACCESS_DENIED;
+			this->to_server = !this->to_server;
+		}
+		else if (client_state == PB_STATE_DECIDED &&
+				 server_state == PB_STATE_END)
+		{
+			/* Cause the final CLOSE batch to be sent to the TNC server */
+			this->to_server = TRUE;
 		}
-		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
-											state);
-
-		msg = pb_access_recommendation_msg_create(pb_rec);
-		this->messages->insert_last(this->messages, msg);
 
-		enumerator = this->recs->create_reason_enumerator(this->recs);
-		while (enumerator->enumerate(enumerator, &id, &reason, &language))
+		/* Suppress a successful CLOSE batch coming from the TNC server */
+		if (status == SUCCESS)
 		{
-			msg = pb_reason_string_msg_create(reason, language);
-			this->messages->insert_last(this->messages, msg);
+			status = NEED_MORE;
 		}
-		enumerator->destroy(enumerator);
 	}
+
+	return status;
 }
 
 METHOD(tls_t, build, status_t,
 	private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen)
 {
-	status_t status;
-	pb_tnc_state_t state;
-
-	/* Initialize the connection */
-	if (!this->is_server && !this->connection_id)
-	{
-		pb_tnc_msg_t *msg;
-		char *pref_lang;
-
-		this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
-										TNCCS_2_0, (tnccs_t*)this, _send_msg,
-										&this->request_handshake_retry,
-										this->max_msg_len, NULL);
-		if (!this->connection_id)
-		{
-			return FAILED;
-		}
-
-		/* Create PB-TNC Language Preference message */
-		pref_lang = tnc->imcs->get_preferred_language(tnc->imcs);
-		msg = pb_language_preference_msg_create(chunk_create(pref_lang,
-													strlen(pref_lang)));
-		this->mutex->lock(this->mutex);
-		this->batch_type = PB_BATCH_CDATA;
-		this->messages->insert_last(this->messages, msg);
-		this->mutex->unlock(this->mutex);
-
-		tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
-											TNC_CONNECTION_STATE_CREATE);
-		tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
-											TNC_CONNECTION_STATE_HANDSHAKE);
-		this->send_msg = TRUE;
-		tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
-		this->send_msg = FALSE;
-	}
-
-	state = this->state_machine->get_state(this->state_machine);
-
-	if (this->fatal_error && state == PB_STATE_END)
-	{
-		DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
-		return FAILED;
-	}
-
-	/* Do not allow any asynchronous IMCs or IMVs to add additional messages */
-	this->mutex->lock(this->mutex);
-
-	if (this->request_handshake_retry)
-	{
-		if (state != PB_STATE_INIT)
-		{
-			build_retry_batch(this);
-		}
-
-		/* Reset the flag for the next handshake retry request */
-		this->request_handshake_retry = FALSE;
-	}
-
-	if (this->is_server &&  state == PB_STATE_SERVER_WORKING &&
-		this->recs->have_recommendation(this->recs, NULL, NULL))
+	if (this->to_server)
 	{
-		check_and_build_recommendation(this);
-	}
+		DBG2(DBG_TNC, "TNC client is handling outbound connection");
 
-	if (this->batch_type == PB_BATCH_NONE)
-	{
-		if (this->is_server)
+		/* Before sending the first PB-TNC batch create TNC client */
+		if (this->tnc_client)
 		{
-			if (state == PB_STATE_SERVER_WORKING)
-			{
-				if (this->state_machine->get_empty_cdata(this->state_machine))
-				{
-					check_and_build_recommendation(this);
-				}
-				else
-				{
-					DBG2(DBG_TNC, "no recommendation available yet, "
-								  "sending empty PB-TNC SDATA batch");
-					this->batch_type = PB_BATCH_SDATA;
-				}
-			}
+			this->tnccs_handler = this->tnc_client;
 		}
 		else
 		{
-			switch (state)
+			this->tnc_client = tnccs_20_client_create(&this->public, _send_msg,
+													  this->max_batch_len,
+													  this->max_msg_len);
+			if (!this->tnc_client)
 			{
-				case PB_STATE_CLIENT_WORKING:
-					DBG2(DBG_TNC, "no client data to send, "
-								  "sending empty PB-TNC CDATA batch");
-					this->batch_type = PB_BATCH_CDATA;
-					break;
-				case PB_STATE_DECIDED:
-					/**
-					 * In the DECIDED state and if no CRETRY is under way,
-					 * a PB-TNC client replies with an empty CLOSE batch.
-					 */
-					this->batch_type = PB_BATCH_CLOSE;
-					break;
-				default:
-					break;
+				return FAILED;
 			}
+			this->tnccs_handler = this->tnc_client;
+			this->tnccs_handler->begin_handshake(this->tnccs_handler,
+												 this->mutual);
 		}
 	}
-
-	if (this->batch_type != PB_BATCH_NONE)
+	else
 	{
-		pb_tnc_batch_t *batch;
-		pb_tnc_msg_t *msg;
-		chunk_t data;
-		int msg_count;
-		enumerator_t *enumerator;
+		DBG2(DBG_TNC, "TNC server is handling outbound connection");
 
-		if (this->state_machine->send_batch(this->state_machine, this->batch_type))
+		/* Before sending the first PB-TNC batch create TNC server */
+		if (this->tnc_server)
 		{
-			batch = pb_tnc_batch_create(this->is_server, this->batch_type,
-										min(this->max_batch_len, *buflen));
-
-			enumerator = this->messages->create_enumerator(this->messages);
-			while (enumerator->enumerate(enumerator, &msg))
-			{
-				if (batch->add_msg(batch, msg))
-				{
-					this->messages->remove_at(this->messages, enumerator);
-				}
-				else
-				{
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-
-			batch->build(batch);
-			data = batch->get_encoding(batch);
-			DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u",
-						   pb_tnc_batch_type_names, this->batch_type, data.len,
-						   this->connection_id);
-			DBG3(DBG_TNC, "%B", &data);
-
-			*buflen = data.len;
-			*msglen = 0;
-			memcpy(buf, data.ptr, *buflen);
-			batch->destroy(batch);
-
-			msg_count = this->messages->get_count(this->messages);
-			if (msg_count)
-			{
-				DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch",
-					 msg_count, (msg_count == 1) ? "" : "s",
-					 pb_tnc_batch_type_names, this->batch_type);
-			}
-			else
-			{
-				this->batch_type = PB_BATCH_NONE;
-			}
-
-			status = ALREADY_DONE;
+			this->tnccs_handler = this->tnc_server;
 		}
 		else
 		{
-			change_batch_type(this, PB_BATCH_NONE);
-			status = INVALID_STATE;
+			this->tnc_server = tnccs_20_server_create(&this->public, _send_msg,
+										this->max_batch_len, this->max_msg_len,
+										this->eap_transport);
+			if (!this->tnc_server)
+			{
+				return FAILED;
+			}
+			this->tnccs_handler = this->tnc_server;
+			this->tnccs_handler->begin_handshake(this->tnccs_handler,
+												 this->mutual);
 		}
 	}
-	else
-	{
-		DBG1(DBG_TNC, "no PB-TNC batch to send");
-		status = INVALID_STATE;
-	}
-	this->mutex->unlock(this->mutex);
-
-	return status;
+	return this->tnccs_handler->build(this->tnccs_handler, buf, buflen, msglen);
 }
 
 METHOD(tls_t, is_server, bool,
@@ -923,20 +337,20 @@ METHOD(tls_t, is_server, bool,
 METHOD(tls_t, get_server_id, identification_t*,
 	private_tnccs_20_t *this)
 {
-	return this->server;
+	return this->server_id;
 }
 
 METHOD(tls_t, set_peer_id, void,
 	private_tnccs_20_t *this, identification_t *id)
 {
-	DESTROY_IF(this->peer);
-	this->peer = id->clone(id);
+	DESTROY_IF(this->peer_id);
+	this->peer_id = id->clone(id);
 }
 
 METHOD(tls_t, get_peer_id, identification_t*,
 	private_tnccs_20_t *this)
 {
-	return this->peer;
+	return this->peer_id;
 }
 
 METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -951,14 +365,17 @@ METHOD(tls_t, is_complete, bool,
 	TNC_IMV_Action_Recommendation rec;
 	TNC_IMV_Evaluation_Result eval;
 
-	if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
+	if (this->tnc_server)
 	{
-		return this->callback ? this->callback(rec, eval) : TRUE;
-	}
-	else
-	{
-		return FALSE;
+		tnccs_20_server_t *tnc_server;
+
+		tnc_server = (tnccs_20_server_t*)this->tnc_server;
+		if (tnc_server->have_recommendation(tnc_server, &rec, &eval))
+		{
+			return this->callback ? this->callback(rec, eval) : TRUE;
+		}
 	}
+	return FALSE;
 }
 
 METHOD(tls_t, get_eap_msk, chunk_t,
@@ -972,19 +389,28 @@ METHOD(tls_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
-												  this->is_server);
-		this->server->destroy(this->server);
-		this->peer->destroy(this->peer);
-		this->state_machine->destroy(this->state_machine);
-		this->mutex->destroy(this->mutex);
-		this->messages->destroy_offset(this->messages,
-									   offsetof(pb_tnc_msg_t, destroy));
-		free(this->pdp_server.ptr);
+		DESTROY_IF(this->tnc_server);
+		DESTROY_IF(this->tnc_client);
+		this->server_id->destroy(this->server_id);
+		this->peer_id->destroy(this->peer_id);
+		this->server_ip->destroy(this->server_ip);
+		this->peer_ip->destroy(this->peer_ip);
 		free(this);
 	}
 }
 
+METHOD(tnccs_t, get_server_ip, host_t*,
+	private_tnccs_20_t *this)
+{
+	return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+	private_tnccs_20_t *this)
+{
+	return this->peer_ip;
+}
+
 METHOD(tnccs_t, get_transport, tnc_ift_type_t,
 	private_tnccs_20_t *this)
 {
@@ -1012,9 +438,19 @@ METHOD(tnccs_t, set_auth_type, void,
 METHOD(tnccs_t, get_pdp_server, chunk_t,
 	private_tnccs_20_t *this, u_int16_t *port)
 {
-	*port = this->pdp_port;
+	if (this->tnc_client)
+	{
+		tnccs_20_client_t *tnc_client;
+
+		tnc_client = (tnccs_20_client_t*)this->tnc_client;
 
-	return this->pdp_server;
+		return tnc_client->get_pdp_server(tnc_client, port);
+	}
+	else
+	{
+		*port = 0;
+		return chunk_empty;
+	}
 }
 
 METHOD(tnccs_t, get_ref, tnccs_t*,
@@ -1027,9 +463,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
 /**
  * See header
  */
-tnccs_t* tnccs_20_create(bool is_server,
-						 identification_t *server, identification_t *peer,
-						 tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id,
+						 identification_t *peer_id, host_t *server_ip,
+						 host_t *peer_ip, tnc_ift_type_t transport,
+						 tnccs_cb_t cb)
 {
 	private_tnccs_20_t *this;
 	size_t max_batch_size, default_max_batch_size;
@@ -1079,6 +516,8 @@ tnccs_t* tnccs_20_create(bool is_server,
 				.get_eap_msk = _get_eap_msk,
 				.destroy = _destroy,
 			},
+			.get_server_ip = _get_server_ip,
+			.get_peer_ip = _get_peer_ip,
 			.get_transport = _get_transport,
 			.set_transport = _set_transport,
 			.get_auth_type = _get_auth_type,
@@ -1087,13 +526,15 @@ tnccs_t* tnccs_20_create(bool is_server,
 			.get_ref = _get_ref,
 		},
 		.is_server = is_server,
-		.server = server->clone(server),
-		.peer = peer->clone(peer),
+		.to_server = !is_server,
+		.server_id = server_id->clone(server_id),
+		.peer_id = peer_id->clone(peer_id),
+		.server_ip = server_ip->clone(server_ip),
+		.peer_ip = peer_ip->clone(peer_ip),
 		.transport = transport,
+		.eap_transport = transport == TNC_IFT_EAP_1_1 ||
+						 transport == TNC_IFT_EAP_2_0,
 		.callback = cb,
-		.state_machine = pb_tnc_state_machine_create(is_server),
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.messages = linked_list_create(),
 		.max_batch_len = max_batch_size,
 		.max_msg_len = max_message_size,
 		.ref = 1,
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.h b/src/libtnccs/plugins/tnccs_20/tnccs_20.h
index 2857b1408..010cbecdc 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.h
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -29,14 +29,17 @@
  * Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
  *
  * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
- * @param server		Server identity
- * @param peer			Client identity
+ * @param server_id		Server identity
+ * @param peer_id		Client identity
+ * @param server_ip		Server IP address
+ * @param peer_ip		Client IP address
  * @param transport		Underlying IF-T transport protocol
  * @param cb			Callback function if TNC Server, NULL if TNC Client
  * @return				TNC_IF_TNCCS 2.0 protocol stack
  */
-tnccs_t* tnccs_20_create(bool is_server,
-						 identification_t *server, identification_t *peer,
-						 tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id,
+						 identification_t *peer_id, host_t *server_ip,
+						 host_t *peer_ip, tnc_ift_type_t transport,
+						 tnccs_cb_t cb);
 
 #endif /** TNCCS_20_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
new file mode 100644
index 000000000..4ba8221d0
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
@@ -0,0 +1,820 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_20_client.h"
+#include "messages/pb_tnc_msg.h"
+#include "messages/ietf/pb_pa_msg.h"
+#include "messages/ietf/pb_error_msg.h"
+#include "messages/ietf/pb_assessment_result_msg.h"
+#include "messages/ietf/pb_access_recommendation_msg.h"
+#include "messages/ietf/pb_remediation_parameters_msg.h"
+#include "messages/ietf/pb_reason_string_msg.h"
+#include "messages/ietf/pb_language_preference_msg.h"
+#include "messages/ita/pb_mutual_capability_msg.h"
+#include "messages/ita/pb_noskip_test_msg.h"
+#include "messages/tcg/pb_pdp_referral_msg.h"
+#include "state_machine/pb_tnc_state_machine.h"
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <tnc/tnc.h>
+#include <tnc/tnccs/tnccs_manager.h>
+#include <tnc/imc/imc_manager.h>
+
+#include <threading/mutex.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+
+typedef struct private_tnccs_20_client_t private_tnccs_20_client_t;
+
+/**
+ * Private data of a tnccs_20_client_t object.
+ */
+struct private_tnccs_20_client_t {
+
+	/**
+	 * Public tnccs_20_client_t interface.
+	 */
+	tnccs_20_client_t public;
+
+	/**
+	 * PB-TNC State Machine
+	 */
+	pb_tnc_state_machine_t *state_machine;
+
+	/**
+	 * Connection ID assigned to this TNCCS connection
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * PB-TNC messages to be sent
+	 */
+	linked_list_t *messages;
+
+	/**
+	 * Type of PB-TNC batch being constructed
+	 */
+	pb_tnc_batch_type_t batch_type;
+
+	/**
+	 * Maximum PB-TNC batch size
+	 */
+	size_t max_batch_len;
+
+	/**
+	 * Mutex locking the batch in construction
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Flag set while processing
+	 */
+	bool fatal_error;
+
+	/**
+	 * Flag set by IMC RequestHandshakeRetry() function
+	 */
+	bool request_handshake_retry;
+
+	/**
+	  * SendMessage() by IMC only allowed if flag is set
+	  */
+	bool send_msg;
+
+	/**
+	 * PDP server FQDN
+	 */
+	chunk_t pdp_server;
+
+	/**
+	 * PDP server port
+	 */
+	u_int16_t pdp_port;
+
+	/**
+	 * Mutual PB-TNC protocol enabled
+	 */
+	bool mutual;
+
+	/**
+	 * Mutual Capability message sent
+	 */
+	bool sent_mutual_capability;
+
+};
+
+/**
+ * The following two functions are shared with the tnccs_20_server class
+ */
+void tnccs_20_handle_ietf_error_msg(pb_tnc_msg_t *msg, bool *fatal_error)
+{
+	pb_error_msg_t *err_msg;
+	u_int32_t vendor_id;
+	u_int16_t error_code;
+	bool fatal;
+
+	err_msg = (pb_error_msg_t*)msg;
+	fatal = err_msg->get_fatal_flag(err_msg);
+	vendor_id = err_msg->get_vendor_id(err_msg);
+	error_code = err_msg->get_error_code(err_msg);
+
+	if (fatal)
+	{
+		*fatal_error = TRUE;
+	}
+
+	if (vendor_id == PEN_IETF)
+	{
+		switch (error_code)
+		{
+			case PB_ERROR_INVALID_PARAMETER:
+			case PB_ERROR_UNSUPPORTED_MANDATORY_MSG:
+				DBG1(DBG_TNC, "received %s PB-TNC error '%N' (offset %u bytes)",
+							  fatal ? "fatal" : "non-fatal",
+							  pb_tnc_error_code_names, error_code,
+							  err_msg->get_offset(err_msg));
+				break;
+			case PB_ERROR_VERSION_NOT_SUPPORTED:
+				DBG1(DBG_TNC, "received %s PB-TNC error '%N' "
+							  "caused by bad version 0x%02x",
+							  fatal ? "fatal" : "non-fatal",
+							  pb_tnc_error_code_names, error_code,
+							  err_msg->get_bad_version(err_msg));
+				break;
+			case PB_ERROR_UNEXPECTED_BATCH_TYPE:
+			case PB_ERROR_LOCAL_ERROR:
+			default:
+				DBG1(DBG_TNC, "received %s PB-TNC error '%N'",
+							  fatal ? "fatal" : "non-fatal",
+							  pb_tnc_error_code_names, error_code);
+				break;
+		}
+	}
+	else
+	{
+		DBG1(DBG_TNC, "received %s PB-TNC error (%u) with Vendor ID 0x%06x",
+					  fatal ? "fatal" : "non-fatal", error_code, vendor_id);
+	}
+}
+
+bool tnccs_20_handle_ita_mutual_capability_msg(pb_tnc_msg_t *msg)
+{
+	pb_mutual_capability_msg_t *mutual_msg;
+	uint32_t protocols;
+
+	if (!lib->settings->get_bool(lib->settings,
+				"%s.plugins.tnccs-20.mutual", FALSE, lib->ns))
+	{
+		/* PB-TNC mutual capability disabled, ignore message */
+		return FALSE;
+	}
+
+	mutual_msg = (pb_mutual_capability_msg_t*)msg;
+	protocols = mutual_msg->get_protocols(mutual_msg);
+
+	if (protocols & PB_MUTUAL_HALF_DUPLEX)
+	{
+		DBG1(DBG_TNC, "activating mutual PB-TNC %N protocol",
+			 pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX);
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+/**
+ * If the batch type changes then delete all accumulated PB-TNC messages
+ */
+static void change_batch_type(private_tnccs_20_client_t *this,
+							  pb_tnc_batch_type_t batch_type)
+{
+	pb_tnc_msg_t *msg;
+
+	if (batch_type != this->batch_type)
+	{
+		if (this->batch_type != PB_BATCH_NONE)
+		{
+			DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+				 pb_tnc_batch_type_names, this->batch_type);
+
+			while (this->messages->remove_last(this->messages,
+											  (void**)&msg) == SUCCESS)
+			{
+				msg->destroy(msg);
+			}
+		}
+		this->batch_type = batch_type;
+	}
+}
+
+/**
+ * Handle a single PB-TNC IETF standard message according to its type
+ */
+static void handle_ietf_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+	pen_type_t msg_type = msg->get_type(msg);
+
+	switch (msg_type.type)
+	{
+		case PB_MSG_EXPERIMENTAL:
+			/* nothing to do */
+			break;
+		case PB_MSG_PA:
+		{
+			pb_pa_msg_t *pa_msg;
+			pen_type_t msg_subtype;
+			u_int16_t imc_id, imv_id;
+			chunk_t msg_body;
+			bool excl;
+			enum_name_t *pa_subtype_names;
+
+			pa_msg = (pb_pa_msg_t*)msg;
+			msg_subtype = pa_msg->get_subtype(pa_msg);
+			msg_body = pa_msg->get_body(pa_msg);
+			imc_id = pa_msg->get_collector_id(pa_msg);
+			imv_id = pa_msg->get_validator_id(pa_msg);
+			excl = pa_msg->get_exclusive_flag(pa_msg);
+
+			pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id);
+			if (pa_subtype_names)
+			{
+				DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x",
+					 pen_names, msg_subtype.vendor_id, pa_subtype_names,
+					 msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type);
+			}
+			else
+			{
+				DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x",
+					 pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id,
+					 msg_subtype.type);
+			}
+			this->send_msg = TRUE;
+			tnc->imcs->receive_message(tnc->imcs, this->connection_id,
+									   excl, msg_body.ptr, msg_body.len,
+									   msg_subtype.vendor_id,
+									   msg_subtype.type, imv_id, imc_id);
+			this->send_msg = FALSE;
+			break;
+		}
+		case PB_MSG_ASSESSMENT_RESULT:
+		{
+			pb_assessment_result_msg_t *assess_msg;
+			u_int32_t result;
+
+			assess_msg = (pb_assessment_result_msg_t*)msg;
+			result = assess_msg->get_assessment_result(assess_msg);
+			DBG1(DBG_TNC, "PB-TNC assessment result is '%N'",
+				 TNC_IMV_Evaluation_Result_names, result);
+			break;
+		}
+		case PB_MSG_ACCESS_RECOMMENDATION:
+		{
+			pb_access_recommendation_msg_t *rec_msg;
+			pb_access_recommendation_code_t rec;
+			TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
+
+			rec_msg = (pb_access_recommendation_msg_t*)msg;
+			rec = rec_msg->get_access_recommendation(rec_msg);
+			DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'",
+						   pb_access_recommendation_code_names, rec);
+			switch (rec)
+			{
+				case PB_REC_ACCESS_ALLOWED:
+					state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
+					break;
+				case PB_REC_ACCESS_DENIED:
+					state = TNC_CONNECTION_STATE_ACCESS_NONE;
+					break;
+				case PB_REC_QUARANTINED:
+					state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
+			}
+			tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
+												state);
+			break;
+		}
+		case PB_MSG_REMEDIATION_PARAMETERS:
+		{
+			pb_remediation_parameters_msg_t *rem_msg;
+			pen_type_t parameters_type;
+			chunk_t parameters, string, lang_code;
+
+			rem_msg = (pb_remediation_parameters_msg_t*)msg;
+			parameters_type = rem_msg->get_parameters_type(rem_msg);
+			parameters = rem_msg->get_parameters(rem_msg);
+
+			if (parameters_type.vendor_id == PEN_IETF)
+			{
+				switch (parameters_type.type)
+				{
+					case PB_REMEDIATION_URI:
+						DBG1(DBG_TNC, "remediation uri: %.*s",
+									   parameters.len, parameters.ptr);
+						break;
+					case PB_REMEDIATION_STRING:
+						string = rem_msg->get_string(rem_msg, &lang_code);
+						DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s",
+									   lang_code.len, lang_code.ptr,
+									   string.len, string.ptr);
+						break;
+					default:
+						DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
+				}
+			}
+			else
+			{
+				DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
+			}
+			break;
+		}
+		case PB_MSG_ERROR:
+			tnccs_20_handle_ietf_error_msg(msg, &this->fatal_error);
+			break;
+		case PB_MSG_REASON_STRING:
+		{
+			pb_reason_string_msg_t *reason_msg;
+			chunk_t reason_string, language_code;
+
+			reason_msg = (pb_reason_string_msg_t*)msg;
+			reason_string = reason_msg->get_reason_string(reason_msg);
+			language_code = reason_msg->get_language_code(reason_msg);
+			DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]",
+				 (int)reason_string.len, reason_string.ptr,
+				 (int)language_code.len, language_code.ptr);
+			break;
+		}
+		default:
+			break;
+	}
+}
+
+/**
+ * Handle a single PB-TNC TCG standard message according to its type
+ */
+static void handle_tcg_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+	pen_type_t msg_type = msg->get_type(msg);
+
+	switch (msg_type.type)
+	{
+		case PB_TCG_MSG_PDP_REFERRAL:
+		{
+			pb_pdp_referral_msg_t *pdp_msg;
+			pen_type_t pdp_id_type;
+			u_int8_t pdp_protocol;
+
+			pdp_msg = (pb_pdp_referral_msg_t*)msg;
+			pdp_id_type = pdp_msg->get_identifier_type(pdp_msg);
+
+			if (pdp_id_type.vendor_id == PEN_TCG &&
+				pdp_id_type.type == PB_PDP_ID_FQDN)
+			{
+				this->pdp_server = chunk_clone(pdp_msg->get_fqdn(pdp_msg,
+										 &pdp_protocol, &this->pdp_port));
+				if (pdp_protocol != 0)
+				{
+					DBG1(DBG_TNC, "unsupported PDP transport protocol");
+					break;
+				}
+				DBG1(DBG_TNC, "PDP server '%.*s' is listening on port %u",
+							   this->pdp_server.len, this->pdp_server.ptr,
+							   this->pdp_port);
+			}
+			break;
+		}
+		default:
+			break;
+	}
+}
+
+/**
+ * Handle a single PB-TNC ITA standard message according to its type
+ */
+static void handle_ita_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+	pen_type_t msg_type = msg->get_type(msg);
+
+	switch (msg_type.type)
+	{
+		case PB_ITA_MSG_MUTUAL_CAPABILITY:
+			this->mutual = tnccs_20_handle_ita_mutual_capability_msg(msg);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Handle a single PB-TNC message according to its type
+ */
+static void handle_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+	pen_type_t msg_type = msg->get_type(msg);
+
+	switch (msg_type.vendor_id)
+	{
+		case PEN_IETF:
+			handle_ietf_message(this, msg);
+			break;
+		case PEN_TCG:
+			handle_tcg_message(this, msg);
+			break;
+		case PEN_ITA:
+			handle_ita_message(this, msg);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ *  Build a CRETRY batch
+ */
+static void build_retry_batch(private_tnccs_20_client_t *this)
+{
+	if (this->batch_type == PB_BATCH_CRETRY)
+	{
+		/* retry batch has already been selected */
+		return;
+	}
+	change_batch_type(this, PB_BATCH_CRETRY);
+}
+
+METHOD(tnccs_20_handler_t, process, status_t,
+	private_tnccs_20_client_t *this, pb_tnc_batch_t *batch)
+{
+	pb_tnc_batch_type_t batch_type;
+	status_t status;
+
+	batch_type = batch->get_type(batch);
+
+	DBG1(DBG_TNC, "processing PB-TNC %N batch for Connection ID %d",
+		 pb_tnc_batch_type_names, batch_type, this->connection_id);
+
+	status = batch->process(batch, this->state_machine);
+
+	if (status != FAILED)
+	{
+		enumerator_t *enumerator;
+		pb_tnc_msg_t *msg;
+		bool empty = TRUE;
+
+		if (batch_type == PB_BATCH_SRETRY)
+		{
+			/* Restart the measurements */
+			tnc->imcs->notify_connection_change(tnc->imcs,
+						this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+			this->send_msg = TRUE;
+			tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
+			this->send_msg = FALSE;
+		}
+
+		enumerator = batch->create_msg_enumerator(batch);
+		while (enumerator->enumerate(enumerator, &msg))
+		{
+			handle_message(this, msg);
+			empty = FALSE;
+		}
+		enumerator->destroy(enumerator);
+
+		/* received a CLOSE batch from PB-TNC server */
+		if (batch_type == PB_BATCH_CLOSE)
+		{
+			return empty ? SUCCESS : FAILED;
+		}
+
+ 		this->send_msg = TRUE;
+		tnc->imcs->batch_ending(tnc->imcs, this->connection_id);
+		this->send_msg = FALSE;
+	}
+
+	switch (status)
+	{
+		case FAILED:
+			this->fatal_error = TRUE;
+			status = VERIFY_ERROR;
+			break;
+		case VERIFY_ERROR:
+			break;
+		case SUCCESS:
+		default:
+			status = NEED_MORE;
+			break;
+	}
+
+	return status;
+}
+
+METHOD(tnccs_20_handler_t, build, status_t,
+	private_tnccs_20_client_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	status_t status;
+	pb_tnc_state_t state;
+
+	state = this->state_machine->get_state(this->state_machine);
+
+	if (this->fatal_error && state == PB_STATE_END)
+	{
+		DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
+		return FAILED;
+	}
+
+	/* Do not allow any asynchronous IMCs to add additional messages */
+	this->mutex->lock(this->mutex);
+
+	if (this->request_handshake_retry)
+	{
+		if (state != PB_STATE_INIT)
+		{
+			build_retry_batch(this);
+		}
+
+		/* Reset the flag for the next handshake retry request */
+		this->request_handshake_retry = FALSE;
+	}
+
+	if (this->batch_type == PB_BATCH_NONE)
+	{
+		switch (state)
+		{
+			case PB_STATE_CLIENT_WORKING:
+				DBG2(DBG_TNC, "no client data to send, "
+							  "sending empty PB-TNC CDATA batch");
+				this->batch_type = PB_BATCH_CDATA;
+				break;
+			case PB_STATE_DECIDED:
+				/**
+				 * In the DECIDED state and if no CRETRY is under way,
+				 * a PB-TNC client replies with an empty CLOSE batch.
+				 */
+				this->batch_type = PB_BATCH_CLOSE;
+				break;
+			default:
+				break;
+		}
+	}
+
+	if (this->batch_type != PB_BATCH_NONE)
+	{
+		pb_tnc_batch_t *batch;
+		pb_tnc_msg_t *msg;
+		chunk_t data;
+		int msg_count;
+		enumerator_t *enumerator;
+
+		if (this->state_machine->send_batch(this->state_machine, this->batch_type))
+		{
+			batch = pb_tnc_batch_create(FALSE, this->batch_type,
+										min(this->max_batch_len, *buflen));
+
+			enumerator = this->messages->create_enumerator(this->messages);
+			while (enumerator->enumerate(enumerator, &msg))
+			{
+				if (batch->add_msg(batch, msg))
+				{
+					this->messages->remove_at(this->messages, enumerator);
+				}
+				else
+				{
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			batch->build(batch);
+			data = batch->get_encoding(batch);
+			DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u",
+						   pb_tnc_batch_type_names, this->batch_type, data.len,
+						   this->connection_id);
+			DBG3(DBG_TNC, "%B", &data);
+
+			*buflen = data.len;
+			*msglen = 0;
+			memcpy(buf, data.ptr, *buflen);
+			batch->destroy(batch);
+
+			msg_count = this->messages->get_count(this->messages);
+			if (msg_count)
+			{
+				DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch",
+					 msg_count, (msg_count == 1) ? "" : "s",
+					 pb_tnc_batch_type_names, this->batch_type);
+			}
+			else
+			{
+				this->batch_type = PB_BATCH_NONE;
+			}
+
+			status = ALREADY_DONE;
+		}
+		else
+		{
+			change_batch_type(this, PB_BATCH_NONE);
+			status = INVALID_STATE;
+		}
+	}
+	else
+	{
+		DBG1(DBG_TNC, "no PB-TNC batch to send");
+		status = INVALID_STATE;
+	}
+	this->mutex->unlock(this->mutex);
+
+	return status;
+}
+
+METHOD(tnccs_20_handler_t, begin_handshake, void,
+	private_tnccs_20_client_t *this, bool mutual)
+{
+	pb_tnc_msg_t *msg;
+	char *pref_lang;
+
+	tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
+										TNC_CONNECTION_STATE_HANDSHAKE);
+
+	/* Announce PB-TNC Mutual Capability if activated */
+	this->sent_mutual_capability = mutual;
+
+	if (!mutual && lib->settings->get_bool(lib->settings,
+				"%s.plugins.tnccs-20.mutual", FALSE, lib->ns))
+	{
+		pb_tnc_mutual_protocol_type_t protocols;
+
+		protocols = PB_MUTUAL_HALF_DUPLEX;
+		DBG2(DBG_TNC, "proposing PB-TNC mutual %N protocol",
+			 pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX);
+		msg = pb_mutual_capability_msg_create(protocols);
+		this->mutex->lock(this->mutex);
+		this->messages->insert_last(this->messages, msg);
+		this->mutex->unlock(this->mutex);
+		this->sent_mutual_capability = TRUE;
+	}
+
+	/* Create PB-TNC Language Preference message */
+	pref_lang = tnc->imcs->get_preferred_language(tnc->imcs);
+	msg = pb_language_preference_msg_create(chunk_create(pref_lang,
+												strlen(pref_lang)));
+	this->mutex->lock(this->mutex);
+	this->messages->insert_last(this->messages, msg);
+	this->mutex->unlock(this->mutex);
+
+	this->send_msg = TRUE;
+	tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
+	this->send_msg = FALSE;
+
+	/* Send a PB-Noskip-Test message for testing purposes */
+	if (lib->settings->get_bool(lib->settings,
+				"%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns))
+	{
+		msg = pb_noskip_test_msg_create();
+		this->mutex->lock(this->mutex);
+		this->messages->insert_last(this->messages, msg);
+		this->mutex->unlock(this->mutex);
+	}
+}
+
+METHOD(tnccs_20_handler_t, get_send_flag, bool,
+	private_tnccs_20_client_t *this)
+{
+	return this->send_msg;
+}
+
+METHOD(tnccs_20_handler_t, get_mutual, bool,
+	private_tnccs_20_client_t *this)
+{
+	return this->mutual;
+}
+
+METHOD(tnccs_20_handler_t, get_state, pb_tnc_state_t,
+	private_tnccs_20_client_t *this)
+{
+	return this->state_machine->get_state(this->state_machine);
+}
+
+METHOD(tnccs_20_handler_t, add_msg, void,
+	private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+	/* adding PA message to CDATA batch only */
+	this->mutex->lock(this->mutex);
+	if (this->batch_type == PB_BATCH_NONE)
+	{
+		this->batch_type = PB_BATCH_CDATA;
+	}
+	if (this->batch_type == PB_BATCH_CDATA)
+	{
+		this->messages->insert_last(this->messages, msg);
+	}
+	else
+	{
+		msg->destroy(msg);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(tnccs_20_handler_t, handle_errors, void,
+	private_tnccs_20_client_t *this, pb_tnc_batch_t *batch,
+	bool fatal_header_error)
+{
+	pb_tnc_msg_t *msg;
+	enumerator_t *enumerator;
+
+	if (fatal_header_error || this->fatal_error)
+	{
+		this->mutex->lock(this->mutex);
+		change_batch_type(this, PB_BATCH_CLOSE);
+		this->mutex->unlock(this->mutex);
+	}
+
+	enumerator = batch->create_error_enumerator(batch);
+	while (enumerator->enumerate(enumerator, &msg))
+	{
+		this->mutex->lock(this->mutex);
+		this->messages->insert_last(this->messages, msg->get_ref(msg));
+		this->mutex->unlock(this->mutex);
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(tnccs_20_handler_t, destroy, void,
+	private_tnccs_20_client_t *this)
+{
+	if (this->connection_id)
+	{
+		tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, FALSE);
+	}
+	this->state_machine->destroy(this->state_machine);
+	this->mutex->destroy(this->mutex);
+	this->messages->destroy_offset(this->messages,
+								   offsetof(pb_tnc_msg_t, destroy));
+	free(this->pdp_server.ptr);
+	free(this);
+}
+
+METHOD(tnccs_20_client_t, get_pdp_server, chunk_t,
+	private_tnccs_20_client_t *this, u_int16_t *port)
+{
+	*port = this->pdp_port;
+
+	return this->pdp_server;
+}
+
+/**
+ * See header
+ */
+tnccs_20_handler_t* tnccs_20_client_create(tnccs_t *tnccs,
+										   tnccs_send_message_t send_msg,
+										   size_t max_batch_len,
+										   size_t max_msg_len)
+{
+	private_tnccs_20_client_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.process = _process,
+				.build = _build,
+				.begin_handshake = _begin_handshake,
+				.get_send_flag = _get_send_flag,
+				.get_mutual = _get_mutual,
+				.get_state = _get_state,
+				.add_msg = _add_msg,
+				.handle_errors = _handle_errors,
+				.destroy = _destroy,
+			},
+			.get_pdp_server = _get_pdp_server,
+		},
+		.state_machine = pb_tnc_state_machine_create(FALSE),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.messages = linked_list_create(),
+		.batch_type = PB_BATCH_CDATA,
+		.max_batch_len = max_batch_len,
+	);
+
+	this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
+											TNCCS_2_0, tnccs, send_msg,
+											&this->request_handshake_retry,
+											max_msg_len, NULL);
+	if (!this->connection_id)
+	{
+		destroy(this);
+		return NULL;
+	}
+	tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
+										TNC_CONNECTION_STATE_CREATE);
+
+	return &this->public.handler;
+}
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h
new file mode 100644
index 000000000..7a5f33ebc
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20_client_h tnccs_20_client
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_CLIENT_H_
+#define TNCCS_20_CLIENT_H_
+
+#include <library.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "tnccs_20_handler.h"
+
+typedef struct tnccs_20_client_t tnccs_20_client_t;
+
+/**
+ * Interface for a TNC client
+ */
+struct tnccs_20_client_t {
+
+	/**
+	 * IF-TNCCS 2.0 protocol handler interface
+	 */
+	tnccs_20_handler_t handler;
+
+	/**
+	 * Get PDP server information if available
+	 *
+	 * @param port			PT-TLS port of the PDP server
+	 * @return				FQDN of PDP server
+	 */
+	chunk_t (*get_pdp_server)(tnccs_20_client_t *this, u_int16_t *port);
+
+};
+
+/**
+ * Create an instance of the TNC IF-TNCCS 2.0 client-side protocol handler.
+ *
+ * @param tnccs				TNC IF-TNCCS 2.0 stack
+ * @param send_msg			TNF IF-TNCCS 2.0 send message callback function
+ * @param max_batch_len		Maximum PB-TNC batch size
+ * @param max_msg_len		Maximum PA-TNC message size
+ */
+tnccs_20_handler_t* tnccs_20_client_create(tnccs_t *tnccs,
+										   tnccs_send_message_t send_msg,
+										   size_t max_batch_len,
+										   size_t max_msg_len);
+
+#endif /** TNCCS_20_CLIENT_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h
new file mode 100644
index 000000000..5c4d7a7b4
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20_handler_h tnccs_20_handler
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_HANDLER_H_
+#define TNCCS_20_HANDLER_H_
+
+#include <library.h>
+
+#include "batch/pb_tnc_batch.h"
+#include "messages/pb_tnc_msg.h"
+
+typedef struct tnccs_20_handler_t tnccs_20_handler_t;
+
+/**
+ * Interface for an IF-TNCCS 2.0 protocol handler
+ */
+struct tnccs_20_handler_t {
+
+	/**
+	 * Process content of received PB-TNC batch
+	 *
+	 * @param batch			PB-TNC batch to be processed
+	 * @return				status
+	 */
+	status_t (*process)(tnccs_20_handler_t *this, pb_tnc_batch_t *batch);
+
+	/**
+	 * Build PB-TNC batch to be sent
+	 *
+	 * @param buf			buffer to write PB-TNC batch to
+	 * @param buflen		size of buffer, receives bytes written
+	 * @param msglen		receives size of all PB-TNCH batch
+	 * @return				status
+	 */
+	status_t (*build)(tnccs_20_handler_t *this, void *buf, size_t *buflen,
+														  size_t *msglen);
+
+	/**
+	 * Put the IMCs or IMVs into the handshake state
+	 *
+	 * @param mutual		TRUE if PB-TNC mutual mode is already established
+	 */
+	void (*begin_handshake)(tnccs_20_handler_t *this, bool mutual);
+
+	/**
+	 * Indicates if IMCs or IMVs are allowed to send PA-TNC messages
+	 *
+	 * @return				TRUE if allowed to send
+	 */
+	bool (*get_send_flag)(tnccs_20_handler_t *this);
+
+	/**
+	 * Indicates if the PB-TNC mutual protocol has been enabled
+	 *
+	 * @return				TRUE if enabled
+	 */
+	bool (*get_mutual)(tnccs_20_handler_t *this);
+
+	/**
+	 * Get state of the PB-TNC protocol
+	 *
+	 * @return				PB-TNC state
+	 */
+	pb_tnc_state_t (*get_state)(tnccs_20_handler_t *this);
+
+	/**
+	 * Add a PB-PA message to the handler's message queue
+	 *
+	 * @param msg			PB-PA message to be added
+	 */
+	void (*add_msg)(tnccs_20_handler_t *this, pb_tnc_msg_t *msg);
+
+	/**
+	 * Handle errors that occurred during PB-TNC batch header processing
+	 *
+	 * @param batch					batch where a fatal error occurred
+	 * @param fatal_header_error	TRUE if fatal error in batch header
+	 */
+	void (*handle_errors)(tnccs_20_handler_t *this, pb_tnc_batch_t *batch,
+						  bool fatal_header_error);
+
+	/**
+	 * Destroys a tnccs_20_handler_t object.
+	 */
+	void (*destroy)(tnccs_20_handler_t *this);
+};
+
+#endif /** TNCCS_20_HANDLER_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h
index 1c4ecf4c9..5073fbe7c 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tnccs_20 tnccs_20
- * @ingroup cplugins
+ * @ingroup tplugins
  *
  * @defgroup tnccs_20_plugin tnccs_20_plugin
  * @{ @ingroup tnccs_20
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
new file mode 100644
index 000000000..038fc178b
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
@@ -0,0 +1,693 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_20_server.h"
+#include "messages/pb_tnc_msg.h"
+#include "messages/ietf/pb_pa_msg.h"
+#include "messages/ietf/pb_error_msg.h"
+#include "messages/ietf/pb_assessment_result_msg.h"
+#include "messages/ietf/pb_access_recommendation_msg.h"
+#include "messages/ietf/pb_remediation_parameters_msg.h"
+#include "messages/ietf/pb_reason_string_msg.h"
+#include "messages/ietf/pb_language_preference_msg.h"
+#include "messages/ita/pb_mutual_capability_msg.h"
+#include "messages/ita/pb_noskip_test_msg.h"
+#include "messages/tcg/pb_pdp_referral_msg.h"
+#include "state_machine/pb_tnc_state_machine.h"
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <tnc/tnc.h>
+#include <tnc/tnccs/tnccs_manager.h>
+#include <tnc/imv/imv_manager.h>
+
+#include <threading/mutex.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+
+typedef struct private_tnccs_20_server_t private_tnccs_20_server_t;
+
+/**
+ * Private data of a tnccs_20_server_t object.
+ */
+struct private_tnccs_20_server_t {
+
+	/**
+	 * Public tnccs_20_server_t interface.
+	 */
+	tnccs_20_server_t public;
+
+	/**
+	 * PB-TNC State Machine
+	 */
+	pb_tnc_state_machine_t *state_machine;
+
+	/**
+	 * Connection ID assigned to this TNCCS connection
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * PB-TNC messages to be sent
+	 */
+	linked_list_t *messages;
+
+	/**
+	 * Type of PB-TNC batch being constructed
+	 */
+	pb_tnc_batch_type_t batch_type;
+
+	/**
+	 * Maximum PB-TNC batch size
+	 */
+	size_t max_batch_len;
+
+	/**
+	 * Mutex locking the batch in construction
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Flag set while processing
+	 */
+	bool fatal_error;
+
+	/**
+	 * Flag set by IMC/IMV RequestHandshakeRetry() function
+	 */
+	bool request_handshake_retry;
+
+	/**
+	  * SendMessage() by IMV only allowed if flag is set
+	  */
+	bool send_msg;
+
+	/**
+	 * Set of IMV recommendations
+	 */
+	recommendations_t *recs;
+
+	/**
+	 *  TNC IF-T transport protocol for EAP methods
+	 */
+	bool eap_transport;
+
+	/**
+	 * Mutual PB-TNC protocol enabled
+	 */
+	bool mutual;
+
+	/**
+	 * Mutual Capability message sent
+	 */
+	bool sent_mutual_capability;
+
+};
+
+/**
+ * The following two functions are shared with the tnccs_20_server class
+ */
+extern void tnccs_20_handle_ietf_error_msg(pb_tnc_msg_t *msg,
+										   bool *fatal_error);
+extern bool tnccs_20_handle_ita_mutual_capability_msg(pb_tnc_msg_t *msg);
+
+/**
+ * If the batch type changes then delete all accumulated PB-TNC messages
+ */
+static void change_batch_type(private_tnccs_20_server_t *this,
+							  pb_tnc_batch_type_t batch_type)
+{
+	pb_tnc_msg_t *msg;
+
+	if (batch_type != this->batch_type)
+	{
+		if (this->batch_type != PB_BATCH_NONE)
+		{
+			DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+				 pb_tnc_batch_type_names, this->batch_type);
+
+			while (this->messages->remove_last(this->messages,
+											  (void**)&msg) == SUCCESS)
+			{
+				msg->destroy(msg);
+			}
+		}
+		this->batch_type = batch_type;
+	}
+}
+
+/**
+ * Handle a single PB-TNC IETF standard message according to its type
+ */
+static void handle_ietf_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg)
+{
+	pen_type_t msg_type = msg->get_type(msg);
+
+	switch (msg_type.type)
+	{
+		case PB_MSG_EXPERIMENTAL:
+			/* nothing to do */
+			break;
+		case PB_MSG_PA:
+		{
+			pb_pa_msg_t *pa_msg;
+			pen_type_t msg_subtype;
+			u_int16_t imc_id, imv_id;
+			chunk_t msg_body;
+			bool excl;
+			enum_name_t *pa_subtype_names;
+
+			pa_msg = (pb_pa_msg_t*)msg;
+			msg_subtype = pa_msg->get_subtype(pa_msg);
+			msg_body = pa_msg->get_body(pa_msg);
+			imc_id = pa_msg->get_collector_id(pa_msg);
+			imv_id = pa_msg->get_validator_id(pa_msg);
+			excl = pa_msg->get_exclusive_flag(pa_msg);
+
+			pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id);
+			if (pa_subtype_names)
+			{
+				DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x",
+					 pen_names, msg_subtype.vendor_id, pa_subtype_names,
+					 msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type);
+			}
+			else
+			{
+				DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x",
+					 pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id,
+					 msg_subtype.type);
+			}
+			this->send_msg = TRUE;
+			tnc->imvs->receive_message(tnc->imvs, this->connection_id,
+									   excl, msg_body.ptr, msg_body.len,
+									   msg_subtype.vendor_id,
+									   msg_subtype.type, imc_id, imv_id);
+			this->send_msg = FALSE;
+			break;
+		}
+		case PB_MSG_ERROR:
+			tnccs_20_handle_ietf_error_msg(msg, &this->fatal_error);
+			break;
+		case PB_MSG_LANGUAGE_PREFERENCE:
+		{
+			pb_language_preference_msg_t *lang_msg;
+			chunk_t lang;
+
+			lang_msg = (pb_language_preference_msg_t*)msg;
+			lang = lang_msg->get_language_preference(lang_msg);
+			DBG2(DBG_TNC, "setting language preference to '%.*s'",
+				 (int)lang.len, lang.ptr);
+			this->recs->set_preferred_language(this->recs, lang);
+			break;
+		}
+		default:
+			break;
+	}
+}
+
+/**
+ * Handle a single PB-TNC ITA standard message according to its type
+ */
+static void handle_ita_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg)
+{
+	pen_type_t msg_type = msg->get_type(msg);
+
+	switch (msg_type.type)
+	{
+		case PB_ITA_MSG_MUTUAL_CAPABILITY:
+			this->mutual = tnccs_20_handle_ita_mutual_capability_msg(msg);
+
+			/* Respond with PB-TNC Mutual Capability message if necessary */
+			if (this->mutual && !this->sent_mutual_capability)
+			{
+				msg = pb_mutual_capability_msg_create(PB_MUTUAL_HALF_DUPLEX);
+				this->mutex->lock(this->mutex);
+				this->messages->insert_last(this->messages, msg);
+				this->mutex->unlock(this->mutex);
+				this->sent_mutual_capability = TRUE;
+			}
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Handle a single PB-TNC message according to its type
+ */
+static void handle_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg)
+{
+	pen_type_t msg_type = msg->get_type(msg);
+
+	switch (msg_type.vendor_id)
+	{
+		case PEN_IETF:
+			handle_ietf_message(this, msg);
+			break;
+		case PEN_ITA:
+			handle_ita_message(this, msg);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ *  Build an SRETRY batch
+ */
+static void build_retry_batch(private_tnccs_20_server_t *this)
+{
+	if (this->batch_type == PB_BATCH_SRETRY)
+	{
+		/* retry batch has already been selected */
+		return;
+	}
+	change_batch_type(this, PB_BATCH_SRETRY);
+
+	this->recs->clear_recommendation(this->recs);
+	tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+										TNC_CONNECTION_STATE_HANDSHAKE);
+}
+
+METHOD(tnccs_20_handler_t, process, status_t,
+	private_tnccs_20_server_t *this, pb_tnc_batch_t *batch)
+{
+	pb_tnc_batch_type_t batch_type;
+	status_t status;
+
+	batch_type = batch->get_type(batch);
+
+	DBG1(DBG_TNC, "processing PB-TNC %N batch for Connection ID %d",
+		 pb_tnc_batch_type_names, batch_type, this->connection_id);
+	status = batch->process(batch, this->state_machine);
+
+	if (status != FAILED)
+	{
+		enumerator_t *enumerator;
+		pb_tnc_msg_t *msg;
+		bool empty = TRUE;
+
+		if (batch_type == PB_BATCH_CRETRY)
+		{
+			/* Send an SRETRY batch in response */
+			this->mutex->lock(this->mutex);
+			build_retry_batch(this);
+			this->mutex->unlock(this->mutex);
+		}
+
+		enumerator = batch->create_msg_enumerator(batch);
+		while (enumerator->enumerate(enumerator, &msg))
+		{
+			handle_message(this, msg);
+			empty = FALSE;
+		}
+		enumerator->destroy(enumerator);
+
+		/* received a CLOSE batch from PB-TNC client */
+		if (batch_type == PB_BATCH_CLOSE)
+		{
+			return empty ? SUCCESS : FAILED;
+		}
+
+		this->send_msg = TRUE;
+		tnc->imvs->batch_ending(tnc->imvs, this->connection_id);
+		this->send_msg = FALSE;
+	}
+
+	switch (status)
+	{
+		case FAILED:
+			this->fatal_error = TRUE;
+			status = VERIFY_ERROR;
+			break;
+		case VERIFY_ERROR:
+			break;
+		case SUCCESS:
+		default:
+			status = NEED_MORE;
+			break;
+	}
+
+	return status;
+}
+
+/**
+ *  Build a RESULT batch if a final recommendation is available
+ */
+static void check_and_build_recommendation(private_tnccs_20_server_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_ConnectionState state;
+	TNC_IMVID id;
+	chunk_t reason, language;
+	enumerator_t *enumerator;
+	pb_tnc_msg_t *msg;
+	pb_access_recommendation_code_t pb_rec;
+
+	if (!this->recs->have_recommendation(this->recs, &rec, &eval))
+	{
+		tnc->imvs->solicit_recommendation(tnc->imvs, this->connection_id);
+	}
+	if (this->recs->have_recommendation(this->recs, &rec, &eval))
+	{
+		this->batch_type = PB_BATCH_RESULT;
+
+		msg = pb_assessment_result_msg_create(eval);
+		this->messages->insert_last(this->messages, msg);
+
+		/**
+		 * Map IMV Action Recommendation codes to PB Access Recommendation codes
+		 * and communicate Access Recommendation to IMVs
+		 */
+		switch (rec)
+		{
+			case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+				state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
+				pb_rec = PB_REC_ACCESS_ALLOWED;
+				break;
+			case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+				state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
+				pb_rec = PB_REC_QUARANTINED;
+				break;
+			case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+			case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+			default:
+				state = TNC_CONNECTION_STATE_ACCESS_NONE;
+				pb_rec = PB_REC_ACCESS_DENIED;
+		}
+		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+											state);
+
+		msg = pb_access_recommendation_msg_create(pb_rec);
+		this->messages->insert_last(this->messages, msg);
+
+		enumerator = this->recs->create_reason_enumerator(this->recs);
+		while (enumerator->enumerate(enumerator, &id, &reason, &language))
+		{
+			msg = pb_reason_string_msg_create(reason, language);
+			this->messages->insert_last(this->messages, msg);
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+METHOD(tnccs_20_handler_t, build, status_t,
+	private_tnccs_20_server_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	status_t status;
+	pb_tnc_state_t state;
+
+	state = this->state_machine->get_state(this->state_machine);
+
+	if (this->fatal_error && state == PB_STATE_END)
+	{
+		DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
+		return FAILED;
+	}
+
+	/* Do not allow any asynchronous IMVs to add additional messages */
+	this->mutex->lock(this->mutex);
+
+	if (this->request_handshake_retry)
+	{
+		if (state != PB_STATE_INIT)
+		{
+			build_retry_batch(this);
+		}
+
+		/* Reset the flag for the next handshake retry request */
+		this->request_handshake_retry = FALSE;
+	}
+
+	if (state == PB_STATE_SERVER_WORKING &&
+		this->recs->have_recommendation(this->recs, NULL, NULL))
+	{
+		check_and_build_recommendation(this);
+	}
+
+	if (this->batch_type == PB_BATCH_NONE)
+	{
+		if (state == PB_STATE_SERVER_WORKING)
+		{
+			if (this->state_machine->get_empty_cdata(this->state_machine))
+			{
+				check_and_build_recommendation(this);
+			}
+			else
+			{
+				DBG2(DBG_TNC, "no recommendation available yet, "
+							  "sending empty PB-TNC SDATA batch");
+				this->batch_type = PB_BATCH_SDATA;
+			}
+		}
+	}
+
+	if (this->batch_type != PB_BATCH_NONE)
+	{
+		pb_tnc_batch_t *batch;
+		pb_tnc_msg_t *msg;
+		chunk_t data;
+		int msg_count;
+		enumerator_t *enumerator;
+
+		if (this->state_machine->send_batch(this->state_machine, this->batch_type))
+		{
+			batch = pb_tnc_batch_create(TRUE, this->batch_type,
+										min(this->max_batch_len, *buflen));
+
+			enumerator = this->messages->create_enumerator(this->messages);
+			while (enumerator->enumerate(enumerator, &msg))
+			{
+				if (batch->add_msg(batch, msg))
+				{
+					this->messages->remove_at(this->messages, enumerator);
+				}
+				else
+				{
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			batch->build(batch);
+			data = batch->get_encoding(batch);
+			DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u",
+						   pb_tnc_batch_type_names, this->batch_type, data.len,
+						   this->connection_id);
+			DBG3(DBG_TNC, "%B", &data);
+
+			*buflen = data.len;
+			*msglen = 0;
+			memcpy(buf, data.ptr, *buflen);
+			batch->destroy(batch);
+
+			msg_count = this->messages->get_count(this->messages);
+			if (msg_count)
+			{
+				DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch",
+					 msg_count, (msg_count == 1) ? "" : "s",
+					 pb_tnc_batch_type_names, this->batch_type);
+			}
+			else
+			{
+				this->batch_type = PB_BATCH_NONE;
+			}
+
+			status = ALREADY_DONE;
+		}
+		else
+		{
+			change_batch_type(this, PB_BATCH_NONE);
+			status = INVALID_STATE;
+		}
+	}
+	else
+	{
+		DBG1(DBG_TNC, "no PB-TNC batch to send");
+		status = INVALID_STATE;
+	}
+	this->mutex->unlock(this->mutex);
+
+	return status;
+}
+
+METHOD(tnccs_20_handler_t, begin_handshake, void,
+	private_tnccs_20_server_t *this, bool mutual)
+{
+	pb_tnc_msg_t *msg;
+	identification_t *pdp_server;
+	u_int16_t *pdp_port;
+
+	tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+										TNC_CONNECTION_STATE_HANDSHAKE);
+
+	/* Send a PB-TNC TCG PDP Referral message if PDP is known */
+	pdp_server = (identification_t*)lib->get(lib, "pt-tls-server");
+	pdp_port = (u_int16_t*)lib->get(lib, "pt-tls-port");
+
+	if (this->eap_transport && pdp_server && pdp_port)
+	{
+		msg = pb_pdp_referral_msg_create_from_fqdn(
+						pdp_server->get_encoding(pdp_server), *pdp_port);
+		this->mutex->lock(this->mutex);
+		this->messages->insert_last(this->messages, msg);
+		this->mutex->unlock(this->mutex);
+	}
+
+	/* Send a PB-Noskip-Test message for testing purposes */
+	if (lib->settings->get_bool(lib->settings,
+				"%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns))
+	{
+		msg = pb_noskip_test_msg_create();
+		this->mutex->lock(this->mutex);
+		this->messages->insert_last(this->messages, msg);
+		this->mutex->unlock(this->mutex);
+	}
+}
+
+METHOD(tnccs_20_handler_t, get_send_flag, bool,
+	private_tnccs_20_server_t *this)
+{
+	return this->send_msg;
+}
+
+METHOD(tnccs_20_handler_t, get_mutual, bool,
+	private_tnccs_20_server_t *this)
+{
+	return this->mutual;
+}
+
+METHOD(tnccs_20_handler_t, get_state, pb_tnc_state_t,
+	private_tnccs_20_server_t *this)
+{
+	return this->state_machine->get_state(this->state_machine);
+}
+
+METHOD(tnccs_20_handler_t, add_msg, void,
+	private_tnccs_20_server_t *this, pb_tnc_msg_t *msg)
+{
+	/* adding PA message to SDATA batch only */
+	this->mutex->lock(this->mutex);
+	if (this->batch_type == PB_BATCH_NONE)
+	{
+		this->batch_type = PB_BATCH_SDATA;
+	}
+	if (this->batch_type == PB_BATCH_SDATA)
+	{
+		this->messages->insert_last(this->messages, msg);
+	}
+	else
+	{
+		msg->destroy(msg);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(tnccs_20_handler_t, handle_errors, void,
+	private_tnccs_20_server_t *this,  pb_tnc_batch_t *batch,
+	bool fatal_header_error)
+{
+	pb_tnc_msg_t *msg;
+	enumerator_t *enumerator;
+
+	if (fatal_header_error || this->fatal_error)
+	{
+		this->mutex->lock(this->mutex);
+		change_batch_type(this, PB_BATCH_CLOSE);
+		this->mutex->unlock(this->mutex);
+	}
+
+	enumerator = batch->create_error_enumerator(batch);
+	while (enumerator->enumerate(enumerator, &msg))
+	{
+		this->mutex->lock(this->mutex);
+		this->messages->insert_last(this->messages, msg->get_ref(msg));
+		this->mutex->unlock(this->mutex);
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(tnccs_20_handler_t, destroy, void,
+	private_tnccs_20_server_t *this)
+{
+	if (this->connection_id)
+	{
+		tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, TRUE);
+	}
+	this->state_machine->destroy(this->state_machine);
+	this->mutex->destroy(this->mutex);
+	this->messages->destroy_offset(this->messages,
+								   offsetof(pb_tnc_msg_t, destroy));
+	free(this);
+}
+
+METHOD(tnccs_20_server_t, have_recommendation, bool,
+	private_tnccs_20_server_t *this, TNC_IMV_Action_Recommendation *rec,
+	TNC_IMV_Evaluation_Result *eval)
+{
+	return this->recs->have_recommendation(this->recs, rec, eval);
+}
+
+/**
+ * See header
+ */
+tnccs_20_handler_t* tnccs_20_server_create(tnccs_t *tnccs,
+										   tnccs_send_message_t send_msg,
+										   size_t max_batch_len,
+										   size_t max_msg_len,
+										   bool eap_transport)
+{
+	private_tnccs_20_server_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.process = _process,
+				.build = _build,
+				.begin_handshake = _begin_handshake,
+				.get_send_flag = _get_send_flag,
+				.get_mutual = _get_mutual,
+				.get_state = _get_state,
+				.add_msg = _add_msg,
+				.handle_errors = _handle_errors,
+				.destroy = _destroy,
+			},
+			.have_recommendation = _have_recommendation,
+		},
+		.state_machine = pb_tnc_state_machine_create(TRUE),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.messages = linked_list_create(),
+		.batch_type = PB_BATCH_SDATA,
+		.max_batch_len = max_batch_len,
+		.eap_transport = eap_transport,
+	);
+
+	this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
+											TNCCS_2_0, tnccs, send_msg,
+											&this->request_handshake_retry,
+											max_msg_len, &this->recs);
+	if (!this->connection_id)
+	{
+		destroy(this);
+		return NULL;
+	}
+	tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+										TNC_CONNECTION_STATE_CREATE);
+
+	return &this->public.handler;
+}
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h
new file mode 100644
index 000000000..5833d1132
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20_server_h tnccs_20_server
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_SERVER_H_
+#define TNCCS_20_SERVER_H_
+
+#include <library.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "tnccs_20_handler.h"
+
+typedef struct tnccs_20_server_t tnccs_20_server_t;
+
+/**
+ * Interface for a TNC server
+ */
+struct tnccs_20_server_t {
+
+	/**
+	 * IF-TNCCS 2.0 protocol handler interface
+	 */
+	tnccs_20_handler_t handler;
+
+	/**
+	 * Check if an Action Recommendation is already available
+	 *
+	 * @param rec			TNC Action Recommendation
+	 * @param eval			TNC Evaluation Result
+	 * @return				TRUE if Action Recommendation is
+	 */
+	bool (*have_recommendation)(tnccs_20_server_t *this,
+								TNC_IMV_Action_Recommendation *rec,
+								TNC_IMV_Evaluation_Result *eval);
+
+};
+
+/**
+ * Create an instance of the TNC IF-TNCCS 2.0 server-side protocol handler.
+ *
+ * @param tnccs				TNC IF-TNCCS 2.0 stack
+ * @param send_msg			TNF IF-TNCCS 2.0 send message callback function
+ * @param max_batch_len		Maximum PB-TNC batch size
+ * @param max_msg_len		Maximum PA-TNC message size
+ * @param eap_transport		TRUE if IF-T for EAP methods
+ */
+tnccs_20_handler_t* tnccs_20_server_create(tnccs_t *tnccs,
+										   tnccs_send_message_t send_msg,
+										   size_t max_batch_len,
+										   size_t max_msg_len,
+										   bool eap_transport);
+
+
+#endif /** TNCCS_20_SERVER_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index 6a03df994..3f21a22d4 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
index e08236eb7..44b804fb2 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -34,12 +34,22 @@ struct private_tnccs_dynamic_t {
 	/**
 	 * Server identity
 	 */
-	identification_t *server;
+	identification_t *server_id;
 
 	/**
 	 * Client identity
 	 */
-	identification_t *peer;
+	identification_t *peer_id;
+
+	/**
+	 * Server IP address
+	 */
+	host_t *server_ip;
+
+	/**
+	 * Client IP address
+	 */
+	host_t *peer_ip;
 
 	/**
 	 * Detected TNC IF-TNCCS stack
@@ -109,8 +119,8 @@ METHOD(tls_t, process, status_t,
 		DBG1(DBG_TNC, "%N protocol detected dynamically",
 					   tnccs_type_names, type);
 		tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
-							this->server, this->peer, this->transport,
-							this->callback);
+							this->server_id, this->peer_id, this->server_ip,
+							this->peer_ip, this->transport,	this->callback);
 		if (!tnccs)
 		{
 			DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
@@ -137,14 +147,14 @@ METHOD(tls_t, is_server, bool,
 METHOD(tls_t, get_server_id, identification_t*,
 	private_tnccs_dynamic_t *this)
 {
-	return this->server;
+	return this->server_id;
 }
 
 METHOD(tls_t, set_peer_id, void,
 	private_tnccs_dynamic_t *this, identification_t *id)
 {
-	DESTROY_IF(this->peer);
-	this->peer = id->clone(id);
+	DESTROY_IF(this->peer_id);
+	this->peer_id = id->clone(id);
 	if (this->tls)
 	{
 		this->tls->set_peer_id(this->tls, id);
@@ -154,7 +164,7 @@ METHOD(tls_t, set_peer_id, void,
 METHOD(tls_t, get_peer_id, identification_t*,
 	private_tnccs_dynamic_t *this)
 {
-	return this->peer;
+	return this->peer_id;
 }
 
 METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -181,12 +191,26 @@ METHOD(tls_t, destroy, void,
 	if (ref_put(&this->ref))
 	{
 		DESTROY_IF(this->tls);
-		this->server->destroy(this->server);
-		this->peer->destroy(this->peer);
+		this->server_id->destroy(this->server_id);
+		this->peer_id->destroy(this->peer_id);
+		this->server_ip->destroy(this->server_ip);
+		this->peer_ip->destroy(this->peer_ip);
 		free(this);
 	}
 }
 
+METHOD(tnccs_t, get_server_ip, host_t*,
+	private_tnccs_dynamic_t *this)
+{
+	return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+	private_tnccs_dynamic_t *this)
+{
+	return this->peer_ip;
+}
+
 METHOD(tnccs_t, get_transport, tnc_ift_type_t,
 	private_tnccs_dynamic_t *this)
 {
@@ -229,9 +253,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
 /**
  * See header
  */
-tnccs_t* tnccs_dynamic_create(bool is_server,
-							  identification_t *server, identification_t *peer,
-							  tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id,
+							  identification_t *peer_id, host_t *server_ip,
+							  host_t *peer_ip, tnc_ift_type_t transport,
+							  tnccs_cb_t cb)
 {
 	private_tnccs_dynamic_t *this;
 
@@ -249,6 +274,8 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
 				.get_eap_msk = _get_eap_msk,
 				.destroy = _destroy,
 			},
+			.get_server_ip = _get_server_ip,
+			.get_peer_ip = _get_peer_ip,
 			.get_transport = _get_transport,
 			.set_transport = _set_transport,
 			.get_auth_type = _get_auth_type,
@@ -256,8 +283,10 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
 			.get_pdp_server = _get_pdp_server,
 			.get_ref = _get_ref,
 		},
-		.server = server->clone(server),
-		.peer = peer->clone(peer),
+		.server_id = server_id->clone(server_id),
+		.peer_id = peer_id->clone(peer_id),
+		.server_ip = server_ip->clone(server_ip),
+		.peer_ip = peer_ip->clone(peer_ip),
 		.transport = transport,
 		.callback = cb,
 		.ref = 1,
diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
index cbdc80b83..2e1141780 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -29,14 +29,17 @@
  * Create an instance of a dynamic TNC IF-TNCCS protocol handler.
  *
  * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
- * @param server		Server identity
- * @param peer			Client identity
+ * @param server_id		Server identity
+ * @param peer_id		Client identity
+ * @param server_ip		Server IP address
+ * @param peer_ip		Client IP address
  * @param transport		Underlying IF-T transport protocol
  * @param cb			Callback function if TNC Server, NULL if TNC Client
  * @return				dynamic TNC IF-TNCCS protocol stack
  */
-tnccs_t* tnccs_dynamic_create(bool is_server,
-							  identification_t *server, identification_t *peer,
-							  tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id,
+							  identification_t *peer_id, host_t *server_ip,
+							  host_t *peer_ip, tnc_ift_type_t transport,
+							  tnccs_cb_t cb);
 
 #endif /** TNCCS_DYNAMIC_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
index b518e1278..97dd0df43 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tnccs_dynamic tnccs_dynamic
- * @ingroup cplugins
+ * @ingroup tplugins
  *
  * @defgroup tnccs_dynamic_plugin tnccs_dynamic_plugin
  * @{ @ingroup tnccs_dynamic
diff --git a/src/libtnccs/tnc/imc/imc.h b/src/libtnccs/tnc/imc/imc.h
index 3ff7d5194..6d13f6bc5 100644
--- a/src/libtnccs/tnc/imc/imc.h
+++ b/src/libtnccs/tnc/imc/imc.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup imc imc
- * @ingroup tnc
+ * @ingroup libtnccs
  *
  * @defgroup imct imc
  * @{ @ingroup imc
diff --git a/src/libtnccs/tnc/imv/imv.h b/src/libtnccs/tnc/imv/imv.h
index 3716532d6..fbc26a1e7 100644
--- a/src/libtnccs/tnc/imv/imv.h
+++ b/src/libtnccs/tnc/imv/imv.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup imv imv
- * @ingroup tnc
+ * @ingroup libtnccs
  *
  * @defgroup imvt imv
  * @{ @ingroup imv
diff --git a/src/libtnccs/tnc/tnc.h b/src/libtnccs/tnc/tnc.h
index e5a4a2959..7bf8c84b7 100644
--- a/src/libtnccs/tnc/tnc.h
+++ b/src/libtnccs/tnc/tnc.h
@@ -14,9 +14,12 @@
  */
 
 /**
- * @defgroup tnc tnc
+ * @defgroup libtnccs libtnccs
  *
- * @addtogroup tnc
+ * @defgroup tplugins plugins
+ * @ingroup libtnccs
+ *
+ * @addtogroup libtnccs
  * @{
  */
 
diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h
index eefd5565d..8ff295bcc 100644
--- a/src/libtnccs/tnc/tnccs/tnccs.h
+++ b/src/libtnccs/tnc/tnccs/tnccs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tnccs tnccs
- * @ingroup tnc
+ * @ingroup libtnccs
  *
  * @defgroup tnccst tnccs
  * @{ @ingroup tnccs
@@ -87,6 +87,20 @@ struct tnccs_t {
 	tls_t tls;
 
 	/**
+	 * Get server IP address
+	 *
+	 * @return				Server IP address
+	 */
+	host_t* (*get_server_ip)(tnccs_t *this);
+
+	/**
+	 * Get peer IP address
+	 *
+	 * @return				Peer IP address
+	 */
+	host_t* (*get_peer_ip)(tnccs_t *this);
+
+	/**
 	 * Get underlying TNC IF-T transport protocol
 	 *
 	 * @return				TNC IF-T transport protocol
@@ -135,15 +149,19 @@ struct tnccs_t {
  * Constructor definition for a pluggable TNCCS protocol implementation.
  *
  * @param is_server		TRUE if TNC Server, FALSE if TNC Client
- * @param server		Server identity
- * @param peer			Client identity
+ * @param server_id		Server identity
+ * @param peer_id		Client identity
+ * @param server_ip		Server IP address
+ * @param peer_ip		Client IP address
  * @param transport		Underlying TNC IF-T transport protocol used
  * @param cb			Callback function if TNC Server, NULL if TNC Client
  * @return				implementation of the tnccs_t interface
  */
 typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
-										identification_t *server,
-										identification_t *peer,
+										identification_t *server_id,
+										identification_t *peer_id,
+										host_t *server_ip,
+										host_t *peer_ip,
 										tnc_ift_type_t transport,
 										tnccs_cb_t cb);
 
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h
index 791336ee1..b5c85f3c0 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.h
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -56,16 +56,19 @@ struct tnccs_manager_t {
 	 *
 	 * @param type		  type of the TNCCS protocol
 	 * @param is_server	  TRUE if TNC Server, FALSE if TNC Client
-	 * @param server	  Server identity
-	 * @param peer		  Client identity
+	 * @param server_id	  Server identity
+	 * @param peer_id	  Client identity
+	 * @param server_ip	  Server IP address
+	 * @param peer_ip	  Client IP address
 	 * @param transport	  Underlying TNC IF-T transport protocol used
 	 * @param cb		  Callback function if TNC Server, NULL if TNC Client
 	 * @return			  TNCCS protocol instance, NULL if no constructor found
 	 */
 	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
-								bool is_server, identification_t *server,
-								identification_t *peer,
-								tnc_ift_type_t transport, tnccs_cb_t cb);
+								bool is_server, identification_t *server_id,
+								identification_t *peer_id, host_t *server_ip,
+								host_t *peer_ip, tnc_ift_type_t transport,
+								tnccs_cb_t cb);
 
 	/**
 	 * Create a TNCCS connection and assign a unique connection ID as well a
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index efa06b927..010fadc42 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -193,6 +193,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -253,10 +254,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -330,6 +333,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libtncif/tncif_names.c b/src/libtncif/tncif_names.c
index ac948c8ba..b348c548e 100644
--- a/src/libtncif/tncif_names.c
+++ b/src/libtncif/tncif_names.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -46,6 +46,18 @@ ENUM(TNC_IMV_Evaluation_Result_names,
 	"don't know"
 );
 
+ENUM(TNC_Identity_names,
+	TNC_ID_UNKNOWN,
+	TNC_ID_X500_DN,
+	"unknown",
+	"IPv4 address",
+	"IPv6 address",
+	"FQDN",
+	"email address",
+	"username",
+	"X.500 DN"
+);
+
 ENUM(TNC_Subject_names,
 	TNC_SUBJECT_UNKNOWN,
 	TNC_SUBJECT_USER,
diff --git a/src/libtncif/tncif_names.h b/src/libtncif/tncif_names.h
index 75458f960..64dd14fc2 100644
--- a/src/libtncif/tncif_names.h
+++ b/src/libtncif/tncif_names.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -30,6 +31,7 @@
 extern enum_name_t *TNC_Connection_State_names;
 extern enum_name_t *TNC_IMV_Action_Recommendation_names;
 extern enum_name_t *TNC_IMV_Evaluation_Result_names;
+extern enum_name_t *TNC_Identity_names;
 extern enum_name_t *TNC_Subject_names;
 extern enum_name_t *TNC_Authentication_names;
 
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 79ee9c7b8..500220a3a 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -245,6 +245,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -305,10 +306,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -382,6 +385,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 3de9153cf..7265457f1 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -234,6 +234,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -294,10 +295,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -371,6 +374,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index 266802cf7..ab407e021 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -13,6 +13,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/signcrl.c \
 	commands/acert.c \
 	commands/pkcs7.c \
+	commands/pkcs12.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 5f7a1bc26..4205469fc 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -108,7 +108,7 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \
 	commands/req.$(OBJEXT) commands/self.$(OBJEXT) \
 	commands/print.$(OBJEXT) commands/signcrl.$(OBJEXT) \
 	commands/acert.$(OBJEXT) commands/pkcs7.$(OBJEXT) \
-	commands/verify.$(OBJEXT)
+	commands/pkcs12.$(OBJEXT) commands/verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -243,6 +243,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -303,10 +304,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -380,6 +383,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -450,6 +455,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/signcrl.c \
 	commands/acert.c \
 	commands/pkcs7.c \
+	commands/pkcs12.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -566,6 +572,8 @@ commands/acert.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
+commands/pkcs12.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
 commands/verify.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 
@@ -586,6 +594,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/gen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/issue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/keyid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pkcs12.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pkcs7.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/print.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pub.Po@am__quote@
diff --git a/src/pki/command.h b/src/pki/command.h
index 9cf036bf2..d49adda09 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -24,7 +24,7 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 12
+#define MAX_COMMANDS 13
 
 /**
  * Maximum number of options in a command (+3)
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 185aa40b4..7099977f2 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -31,7 +32,7 @@
 static int acert()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
-	hash_algorithm_t digest = HASH_SHA1;
+	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
 	private_key_t *private = NULL;
 	public_key_t *public = NULL;
@@ -161,6 +162,10 @@ static int acert()
 		error = "loading issuer private key failed";
 		goto end;
 	}
+	if (digest == HASH_UNKNOWN)
+	{
+		digest = get_default_digest(private);
+	}
 	if (!private->belongs_to(private, public))
 	{
 		error = "issuer private key does not match issuer certificate";
@@ -286,7 +291,7 @@ static void __attribute__ ((constructor))reg()
 			{"not-before",		'F', 1, "date/time the validity of the AC starts"},
 			{"not-after",		'T', 1, "date/time the validity of the AC ends"},
 			{"dateform",		'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
-			{"digest",			'g', 1, "digest for signature creation, default: sha1"},
+			{"digest",			'g', 1, "digest for signature creation, default: key-specific"},
 			{"outform",			'f', 1, "encoding of generated cert, default: der"},
 		}
 	});
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index ce28a0971..8b11854ad 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -43,6 +44,10 @@ static int gen()
 				{
 					type = KEY_ECDSA;
 				}
+				else if (streq(arg, "bliss"))
+				{
+					type = KEY_BLISS;
+				}
 				else
 				{
 					return command_usage("invalid key type");
@@ -96,6 +101,9 @@ static int gen()
 			case KEY_ECDSA:
 				size = 384;
 				break;
+			case KEY_BLISS:
+				size = 1;
+				break;
 			default:
 				break;
 		}
@@ -151,12 +159,12 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		gen, 'g', "gen", "generate a new private key",
-		{"  [--type rsa|ecdsa] [--size bits] [--safe-primes]",
+		{"  [--type rsa|ecdsa|bliss] [--size bits] [--safe-primes]",
 		 "[--shares n] [--threshold l] [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"type",		't', 1, "type of key, default: rsa"},
-			{"size",		's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
+			{"size",		's', 1, "keylength in bits, default: rsa 2048, ecdsa 384, bliss 1"},
 			{"safe-primes", 'p', 0, "generate rsa safe primes"},
 			{"shares",		'n', 1, "number of private rsa key shares"},
 			{"threshold",	'l', 1, "minimum number of participating rsa key shares"},
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index aaa2c2ff7..6a2d09d78 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -59,7 +60,7 @@ static void destroy_cdp(x509_cdp_t *this)
 static int issue()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
-	hash_algorithm_t digest = HASH_SHA1;
+	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
 	private_key_t *private = NULL;
 	public_key_t *public = NULL;
@@ -287,6 +288,7 @@ static int issue()
 		}
 		break;
 	}
+
 	if (!cacert)
 	{
 		error = "--cacert is required";
@@ -355,6 +357,10 @@ static int issue()
 		error = "loading CA private key failed";
 		goto end;
 	}
+	if (digest == HASH_UNKNOWN)
+	{
+		digest = get_default_digest(private);
+	}
 	if (!private->belongs_to(private, public))
 	{
 		error = "CA private key does not match CA certificate";
@@ -589,7 +595,7 @@ static void __attribute__ ((constructor))reg()
 			{"crl",				'u', 1, "CRL distribution point URI to include"},
 			{"crlissuer",		'I', 1, "CRL Issuer for CRL at distribution point"},
 			{"ocsp",			'o', 1, "OCSP AuthorityInfoAccess URI to include"},
-			{"digest",			'g', 1, "digest for signature creation, default: sha1"},
+			{"digest",			'g', 1, "digest for signature creation, default: key-specific"},
 			{"outform",			'f', 1, "encoding of generated cert, default: der"},
 		}
 	});
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index c3ac0c288..3bc62e74d 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -52,6 +52,11 @@ static int keyid()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
+				else if (streq(arg, "bliss-priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_BLISS;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -164,7 +169,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ keyid, 'k', "keyid",
 		"calculate key identifiers of a key/certificate",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|pkcs10|x509]"},
+		{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pkcs12.c b/src/pki/commands/pkcs12.c
new file mode 100644
index 000000000..dcd1496ba
--- /dev/null
+++ b/src/pki/commands/pkcs12.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+
+#include "pki.h"
+
+#include <credentials/certificates/x509.h>
+#include <credentials/containers/pkcs12.h>
+
+/**
+ * Show info about PKCS#12 container
+ */
+static int show(pkcs12_t *pkcs12)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	private_key_t *key;
+	int index = 1;
+
+	printf("Certificates:\n");
+	enumerator = pkcs12->create_cert_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		x509_t *x509 = (x509_t*)cert;
+
+		if (x509->get_flags(x509) & X509_CA)
+		{
+			printf("[%2d] \"%Y\" (CA)\n", index++, cert->get_subject(cert));
+		}
+		else
+		{
+			printf("[%2d] \"%Y\"\n", index++, cert->get_subject(cert));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	printf("Private keys:\n");
+	enumerator = pkcs12->create_key_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &key))
+	{
+		printf("[%2d] %N %d bits\n", index++, key_type_names,
+			   key->get_type(key), key->get_keysize(key));
+	}
+	enumerator->destroy(enumerator);
+	return 0;
+}
+
+static int export(pkcs12_t *pkcs12, int index, char *outform)
+{
+	cred_encoding_type_t form;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	private_key_t *key;
+	chunk_t encoding;
+	int i = 1;
+
+	enumerator = pkcs12->create_cert_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (i++ == index)
+		{
+			form = CERT_ASN1_DER;
+			if (outform && !get_form(outform, &form, CRED_CERTIFICATE))
+			{
+				enumerator->destroy(enumerator);
+				return command_usage("invalid output format");
+			}
+			if (cert->get_encoding(cert, form, &encoding))
+			{
+				set_file_mode(stdout, form);
+				if (fwrite(encoding.ptr, encoding.len, 1, stdout) == 1)
+				{
+					free(encoding.ptr);
+					enumerator->destroy(enumerator);
+					return 0;
+				}
+				free(encoding.ptr);
+			}
+			fprintf(stderr, "certificate export failed\n");
+			enumerator->destroy(enumerator);
+			return 1;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = pkcs12->create_key_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &key))
+	{
+		if (i++ == index)
+		{
+			form = PRIVKEY_ASN1_DER;
+			if (outform && !get_form(outform, &form, CRED_PRIVATE_KEY))
+			{
+				enumerator->destroy(enumerator);
+				return command_usage("invalid output format");
+			}
+			if (key->get_encoding(key, form, &encoding))
+			{
+				set_file_mode(stdout, form);
+				if (fwrite(encoding.ptr, encoding.len, 1, stdout) == 1)
+				{
+					free(encoding.ptr);
+					enumerator->destroy(enumerator);
+					return 0;
+				}
+				free(encoding.ptr);
+			}
+			fprintf(stderr, "private key export failed\n");
+			enumerator->destroy(enumerator);
+			return 0;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	fprintf(stderr, "invalid index %d\n", index);
+	return 1;
+}
+
+
+/**
+ * Handle PKCs#12 containers
+ */
+static int pkcs12()
+{
+	char *arg, *file = NULL, *outform = NULL;
+	pkcs12_t *p12 = NULL;
+	int res = 1, index = 0;
+	enum {
+		OP_NONE,
+		OP_LIST,
+		OP_EXPORT,
+	} op = OP_NONE;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 'i':
+				file = arg;
+				continue;
+			case 'l':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_LIST;
+				continue;
+			case 'e':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_EXPORT;
+				index = atoi(arg);
+				continue;
+			case 'f':
+				outform = arg;
+				continue;
+			case EOF:
+				break;
+			default:
+			invalid:
+				return command_usage("invalid --pkcs12 option");
+		}
+		break;
+	}
+
+	if (file)
+	{
+		p12 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS12,
+								  BUILD_FROM_FILE, file, BUILD_END);
+	}
+	else
+	{
+		chunk_t chunk;
+
+		set_file_mode(stdin, CERT_ASN1_DER);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+			return 1;
+		}
+		p12 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS12,
+								  BUILD_BLOB, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
+
+	if (!p12)
+	{
+		fprintf(stderr, "reading input failed!\n");
+		goto end;
+	}
+
+	switch (op)
+	{
+		case OP_LIST:
+			res = show(p12);
+			break;
+		case OP_EXPORT:
+			res = export(p12, index, outform);
+			break;
+		default:
+			p12->container.destroy(&p12->container);
+			return command_usage(NULL);
+	}
+
+end:
+	if (p12)
+	{
+		p12->container.destroy(&p12->container);
+	}
+	return res;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		pkcs12, 'u', "pkcs12", "PKCS#12 functions",
+		{"--export index|--list [--in file]",
+		 "[--outform der|pem]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"in",		'i', 1, "input file, default: stdin"},
+			{"list",	'l', 0, "list certificates and keys"},
+			{"export",	'e', 1, "export the credential with the given index"},
+			{"outform",	'f', 1, "encoding of exported credentials, default: der"},
+		}
+	});
+}
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index fb07169bf..fa69de133 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -32,9 +32,12 @@
 static void print_pubkey(public_key_t *key)
 {
 	chunk_t chunk;
+	key_type_t type;
+
+	type = key->get_type(key);
+	printf("pubkey:    %N %d bits%s\n", key_type_names, type,
+			key->get_keysize(key), (type == KEY_BLISS) ? " strength" : "");
 
-	printf("pubkey:    %N %d bits\n", key_type_names, key->get_type(key),
-		   key->get_keysize(key));
 	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
 	{
 		printf("keyid:     %#B\n", &chunk);
@@ -66,6 +69,22 @@ static void print_key(private_key_t *key)
 }
 
 /**
+ * Get a prefix for a named constraint identity type
+ */
+static char* get_type_pfx(identification_t *id)
+{
+	switch (id->get_type(id))
+	{
+		case ID_RFC822_ADDR:
+			return "email:";
+		case ID_FQDN:
+			return "dns:";
+		default:
+			return "";
+	}
+}
+
+/**
  * Print X509 specific certificate information
  */
 static void print_x509(x509_t *x509)
@@ -202,7 +221,7 @@ static void print_x509(x509_t *x509)
 			printf("Permitted NameConstraints:\n");
 			first = FALSE;
 		}
-		printf("           %Y\n", id);
+		printf("           %s%Y\n", get_type_pfx(id), id);
 	}
 	enumerator->destroy(enumerator);
 	first = TRUE;
@@ -214,7 +233,7 @@ static void print_x509(x509_t *x509)
 			printf("Excluded NameConstraints:\n");
 			first = FALSE;
 		}
-		printf("           %Y\n", id);
+		printf("           %s%Y\n", get_type_pfx(id), id);
 	}
 	enumerator->destroy(enumerator);
 
@@ -580,6 +599,11 @@ static int print()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
+				else if (streq(arg, "bliss-priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_BLISS;
+				}
 				else
 				{
 					return command_usage( "invalid input type");
@@ -652,7 +676,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ print, 'a', "print",
 		"print a credential in a human readable form",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl|ac]"},
+		{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index b8d2f701d..ccc3c4251 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -53,6 +54,11 @@ static int pub()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
+				else if (streq(arg, "bliss"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_BLISS;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -183,7 +189,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
-		{"[--in file|--keyid hex] [--type rsa|ecdsa|pub|pkcs10|x509]",
+		{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]",
 		 "[--outform der|pem|dnskey|sshkey]"},
 		{
 			{"help",	'h', 0, "show usage information"},
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 023683569..da991b505 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2009 Andreas Steffen
+ * Copyright (C) 2009-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -30,7 +31,7 @@ static int req()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
 	key_type_t type = KEY_RSA;
-	hash_algorithm_t digest = HASH_SHA1;
+	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
 	char *file = NULL, *dn = NULL, *error = NULL;
@@ -57,6 +58,10 @@ static int req()
 				{
 					type = KEY_ECDSA;
 				}
+				else if (streq(arg, "bliss"))
+				{
+					type = KEY_BLISS;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -134,6 +139,10 @@ static int req()
 		error = "parsing private key failed";
 		goto end;
 	}
+	if (digest == HASH_UNKNOWN)
+	{
+		digest = get_default_digest(private);
+	}
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
 							  BUILD_SIGNING_KEY, private,
 							  BUILD_SUBJECT, id,
@@ -185,7 +194,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		req, 'r', "req",
 		"create a PKCS#10 certificate request",
-		{"  [--in file] [--type rsa|ecdsa] --dn distinguished-name",
+		{"  [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
 		 "[--san subjectAltName]+ [--password challengePassword]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
@@ -195,7 +204,7 @@ static void __attribute__ ((constructor))reg()
 			{"dn",		'd', 1, "subject distinguished name"},
 			{"san",		'a', 1, "subjectAltName to include in cert request"},
 			{"password",'p', 1, "challengePassword to include in cert request"},
-			{"digest",	'g', 1, "digest for signature creation, default: sha1"},
+			{"digest",	'g', 1, "digest for signature creation, default: key-specific"},
 			{"outform",	'f', 1, "encoding of generated request, default: der"},
 		}
 	});
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index daefcdc10..a785c2a0c 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -49,7 +50,7 @@ static int self()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
 	key_type_t type = KEY_RSA;
-	hash_algorithm_t digest = HASH_SHA1;
+	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
 	public_key_t *public = NULL;
@@ -57,7 +58,8 @@ static int self()
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
 	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
-	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
+	int inhibit_mapping = X509_NO_CONSTRAINT;
+	int require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
 	time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
@@ -88,6 +90,10 @@ static int self()
 				{
 					type = KEY_ECDSA;
 				}
+				else if (streq(arg, "bliss"))
+				{
+					type = KEY_BLISS;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -308,6 +314,10 @@ static int self()
 		error = "loading private key failed";
 		goto end;
 	}
+	if (digest == HASH_UNKNOWN)
+	{
+		digest = get_default_digest(private);
+	}
 	public = private->get_public_key(private);
 	if (!public)
 	{
@@ -407,7 +417,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{" [--in file|--keyid hex] [--type rsa|ecdsa]",
+		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -441,7 +451,7 @@ static void __attribute__ ((constructor))reg()
 			{"policy-any",		'A', 1, "inhibitAnyPolicy constraint"},
 			{"flag",			'e', 1, "include extendedKeyUsage flag"},
 			{"ocsp",			'o', 1, "OCSP AuthorityInfoAccess URI to include"},
-			{"digest",			'g', 1, "digest for signature creation, default: sha1"},
+			{"digest",			'g', 1, "digest for signature creation, default: key-specific"},
 			{"outform",			'f', 1, "encoding of generated cert, default: der"},
 		}
 	});
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index e5f49efe2..720dfd8a9 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -117,7 +117,7 @@ static int sign_crl()
 	certificate_t *ca = NULL, *crl = NULL;
 	crl_t *lastcrl = NULL;
 	x509_t *x509;
-	hash_algorithm_t digest = HASH_SHA1;
+	hash_algorithm_t digest = HASH_UNKNOWN;
 	char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
 	char *basecrl = NULL;
 	char serial[512], *keyid = NULL;
@@ -330,6 +330,10 @@ static int sign_crl()
 		error = "loading CA private key failed";
 		goto error;
 	}
+	if (digest == HASH_UNKNOWN)
+	{
+		digest = get_default_digest(private);
+	}
 	if (!private->belongs_to(private, public))
 	{
 		error = "CA private key does not match CA certificate";
@@ -465,7 +469,7 @@ static void __attribute__ ((constructor))reg()
 			{"serial",		's', 1, "hex encoded certificate serial number to revoke"},
 			{"reason",		'r', 1, "reason for certificate revocation"},
 			{"date",		'd', 1, "revocation date as unix timestamp, default: now"},
-			{"digest",		'g', 1, "digest for signature creation, default: sha1"},
+			{"digest",		'g', 1, "digest for signature creation, default: key-specific"},
 			{"outform",		'f', 1, "encoding of generated crl, default: der"},
 		}
 	});
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index c288015de..45355bacd 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -81,10 +81,11 @@ subdir = src/pki/man
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(srcdir)/pki.1.in $(srcdir)/pki---gen.1.in \
 	$(srcdir)/pki---issue.1.in $(srcdir)/pki---keyid.1.in \
-	$(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \
-	$(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \
-	$(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \
-	$(srcdir)/pki---acert.1.in $(srcdir)/pki---verify.1.in
+	$(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---pkcs12.1.in \
+	$(srcdir)/pki---print.1.in $(srcdir)/pki---pub.1.in \
+	$(srcdir)/pki---req.1.in $(srcdir)/pki---self.1.in \
+	$(srcdir)/pki---signcrl.1.in $(srcdir)/pki---acert.1.in \
+	$(srcdir)/pki---verify.1.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -101,8 +102,9 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \
-	pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \
-	pki---self.1 pki---signcrl.1 pki---acert.1 pki---verify.1
+	pki---pkcs7.1 pki---pkcs12.1 pki---print.1 pki---pub.1 \
+	pki---req.1 pki---self.1 pki---signcrl.1 pki---acert.1 \
+	pki---verify.1
 CONFIG_CLEAN_VPATH_FILES =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -181,6 +183,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -241,10 +244,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -318,6 +323,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -434,6 +441,8 @@ pki---keyid.1: $(top_builddir)/config.status $(srcdir)/pki---keyid.1.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 pki---pkcs7.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs7.1.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---pkcs12.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs12.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 pki---print.1: $(top_builddir)/config.status $(srcdir)/pki---print.1.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 pki---pub.1: $(top_builddir)/config.status $(srcdir)/pki---pub.1.in
diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in
index ec1d8be6e..d7460fd1f 100644
--- a/src/pki/man/pki---acert.1.in
+++ b/src/pki/man/pki---acert.1.in
@@ -99,8 +99,8 @@ Serial number in hex. It is randomly allocated by default.
 .TP
 .BI "\-g, \-\-digest " digest
 Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
 .TP
 .BI "\-f, \-\-outform " encoding
 Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 375cb2fe4..3a89059c8 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -122,8 +122,8 @@ Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
 .TP
 .BI "\-g, \-\-digest " digest
 Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR.  The default is
+determined based on the type and size of the signature key.
 .TP
 .BI "\-f, \-\-outform " encoding
 Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
@@ -147,10 +147,22 @@ times.
 Set path length constraint.
 .TP
 .BI "\-n, \-\-nc-permitted " name
-Add permitted NameConstraint extension to certificate.
+Add permitted NameConstraint extension to certificate. For DNS or email
+constraints, the identity type is not always detectable by the given name. Use
+the
+.B dns:
+or
+.B email:
+prefix to force a constraint type.
 .TP
 .BI "\-N, \-\-nc-excluded " name
-Add excluded NameConstraint extension to certificate.
+Add excluded NameConstraint extension to certificate. For DNS or email
+constraints, the identity type is not always detectable by the given name. Use
+the
+.B dns:
+or
+.B email:
+prefix to force a constraint type.
 .TP
 .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
 Add policyMapping from issuer to subject OID.
diff --git a/src/pki/man/pki---pkcs12.1.in b/src/pki/man/pki---pkcs12.1.in
new file mode 100644
index 000000000..470a66389
--- /dev/null
+++ b/src/pki/man/pki---pkcs12.1.in
@@ -0,0 +1,62 @@
+.TH "PKI \-\-PKCS12" 1 "2014-10-17" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-pkcs12 \- Provides PKCS#12 functions
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-pkcs12
+.BR \-\-list
+.OP \-\-in file
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pkcs12
+.BI \-\-export\~ index
+.OP \-\-in file
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pkcs12
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-pkcs12"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+provides functions to work with PKCS#12 containers.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-l, \-\-list"
+List certificates and keys contained in a PKCS#12 container.
+.TP
+.BI "\-e, \-\-export " index
+Export the credential with the given \fIindex\fR.  Use \fI\-\-list\fR to
+determine the index of certificates and keys.
+.TP
+.BI "\-i, \-\-in " file
+PKCS#12 input file. If not given the input is read from \fISTDIN\fR.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
index ab144ce2a..a6f6a480a 100644
--- a/src/pki/man/pki---req.1.in
+++ b/src/pki/man/pki---req.1.in
@@ -62,8 +62,8 @@ The challengePassword to include in the certificate request.
 .TP
 .BI "\-g, \-\-digest " digest
 Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR.  The default is
+determined based on the type and size of the signature key.
 .TP
 .BI "\-f, \-\-outform " encoding
 Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index 5e6e78bd0..53f53f816 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -109,8 +109,8 @@ Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
 .TP
 .BI "\-g, \-\-digest " digest
 Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR.  The default is
+determined based on the type and size of the signature key.
 .TP
 .BI "\-f, \-\-outform " encoding
 Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
@@ -127,10 +127,22 @@ times.
 Set path length constraint.
 .TP
 .BI "\-n, \-\-nc-permitted " name
-Add permitted NameConstraint extension to certificate.
+Add permitted NameConstraint extension to certificate. For DNS or email
+constraints, the identity type is not always detectable by the given name. Use
+the
+.B dns:
+or
+.B email:
+prefix to force a constraint type.
 .TP
 .BI "\-N, \-\-nc-excluded " name
-Add excluded NameConstraint extension to certificate.
+Add excluded NameConstraint extension to certificate. For DNS or email
+constraints, the identity type is not always detectable by the given name. Use
+the
+.B dns:
+or
+.B email:
+prefix to force a constraint type.
 .TP
 .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
 Add policyMapping from issuer to subject OID.
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
index bd6cba547..b930bfa3c 100644
--- a/src/pki/man/pki---signcrl.1.in
+++ b/src/pki/man/pki---signcrl.1.in
@@ -98,8 +98,8 @@ Freshest delta CRL URI to include in CRL. Can be used multiple times.
 .TP
 .BI "\-g, \-\-digest " digest
 Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR.  The default is
+determined based on the type and size of the signature key.
 .TP
 .BI "\-f, \-\-outform " encoding
 Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 434287de6..472704945 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012-2014 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -22,6 +23,7 @@
 #include <fcntl.h>
 
 #include <utils/debug.h>
+#include <credentials/sets/mem_cred.h>
 #include <credentials/sets/callback_cred.h>
 
 /**
@@ -235,12 +237,40 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc)
 #endif
 }
 
+/*
+ * Described in header
+ */
+hash_algorithm_t get_default_digest(private_key_t *private)
+{
+	enumerator_t *enumerator;
+	signature_scheme_t scheme;
+	hash_algorithm_t alg = HASH_UNKNOWN;
+
+	enumerator = signature_schemes_for_key(private->get_type(private),
+										   private->get_keysize(private));
+	if (enumerator->enumerate(enumerator, &scheme))
+	{
+		alg = hasher_from_signature_scheme(scheme);
+	}
+	enumerator->destroy(enumerator);
+
+	/* default to SHA-256 */
+	return alg == HASH_UNKNOWN ? HASH_SHA256 : alg;
+}
+
 /**
  * Callback credential set pki uses
  */
 static callback_cred_t *cb_set;
 
 /**
+ * Credential set to cache entered secrets
+ */
+static mem_cred_t *cb_creds;
+
+static shared_key_type_t prompted;
+
+/**
  * Callback function to receive credentials
  */
 static shared_key_t* cb(void *data, shared_key_type_t type,
@@ -248,7 +278,12 @@ static shared_key_t* cb(void *data, shared_key_type_t type,
 						id_match_t *match_me, id_match_t *match_other)
 {
 	char buf[64], *label, *secret = NULL;
+	shared_key_t *shared;
 
+	if (prompted == type)
+	{
+		return NULL;
+	}
 	switch (type)
 	{
 		case SHARED_PIN:
@@ -266,6 +301,7 @@ static shared_key_t* cb(void *data, shared_key_type_t type,
 #endif
 	if (secret && strlen(secret))
 	{
+		prompted = type;
 		if (match_me)
 		{
 			*match_me = ID_MATCH_PERFECT;
@@ -274,8 +310,10 @@ static shared_key_t* cb(void *data, shared_key_type_t type,
 		{
 			*match_other = ID_MATCH_NONE;
 		}
-		return shared_key_create(type,
-							chunk_clone(chunk_create(secret, strlen(secret))));
+		shared = shared_key_create(type, chunk_clone(chunk_from_str(secret)));
+		/* cache password in case it is required more than once */
+		cb_creds->add_shared(cb_creds, shared, NULL);
+		return shared->get_ref(shared);
 	}
 	return NULL;
 }
@@ -287,6 +325,8 @@ static void add_callback()
 {
 	cb_set = callback_cred_create_shared(cb, NULL);
 	lib->credmgr->add_set(lib->credmgr, &cb_set->set);
+	cb_creds = mem_cred_create();
+	lib->credmgr->add_set(lib->credmgr, &cb_creds->set);
 }
 
 /**
@@ -294,6 +334,8 @@ static void add_callback()
  */
 static void remove_callback()
 {
+	lib->credmgr->remove_set(lib->credmgr, &cb_creds->set);
+	cb_creds->destroy(cb_creds);
 	lib->credmgr->remove_set(lib->credmgr, &cb_set->set);
 	cb_set->destroy(cb_set);
 }
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 1f0827733..017e61df6 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -55,4 +55,12 @@ bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span,
  */
 void set_file_mode(FILE *stream, cred_encoding_type_t enc);
 
+/**
+ * Select default digest for signatures with the given key
+ *
+ * @param private	private key
+ * @return			hash algorithm
+ */
+hash_algorithm_t get_default_digest(private_key_t *private);
+
 #endif /** PKI_H_ @}*/
diff --git a/src/pool/Makefile.am b/src/pool/Makefile.am
index b8d662e57..5ae624b88 100644
--- a/src/pool/Makefile.am
+++ b/src/pool/Makefile.am
@@ -11,11 +11,13 @@ pool.o :	$(top_builddir)/config.status
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${pool_plugins}\""
 
 pool_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la
 
 endif USE_ATTR_SQL
 
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index 4f753a0bb..b9557547a 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -109,7 +109,8 @@ am__pool_SOURCES_DIST = pool.c pool_attributes.c pool_attributes.h \
 @USE_ATTR_SQL_TRUE@	pool_usage.$(OBJEXT)
 pool_OBJECTS = $(am_pool_OBJECTS)
 @USE_ATTR_SQL_TRUE@pool_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la \
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libcharon/libcharon.la
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -228,6 +229,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -288,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -365,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -430,11 +436,13 @@ xml_LIBS = @xml_LIBS@
 @USE_ATTR_SQL_TRUE@AM_CPPFLAGS = \
 @USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libstrongswan \
 @USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libhydra \
+@USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libcharon \
 @USE_ATTR_SQL_TRUE@	-DPLUGINS=\""${pool_plugins}\""
 
 @USE_ATTR_SQL_TRUE@pool_LDADD = \
 @USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la \
+@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libcharon/libcharon.la
 
 templatesdir = $(pkgdatadir)/templates/database/sql
 dist_templates_DATA = mysql.sql sqlite.sql
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index 7ee25c007..a02db98f2 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -198,6 +198,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -258,10 +259,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -335,6 +338,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c
index a8d45b54f..3a179af17 100644
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010-2013 Martin Willi, revosec AG
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule für Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -54,32 +54,44 @@ static int client(char *address, u_int16_t port, char *identity)
 {
 	pt_tls_client_t *assessment;
 	tls_t *tnccs;
-	identification_t *server, *client;
-	host_t *host;
+	identification_t *server_id, *client_id;
+	host_t *server_ip, *client_ip;
 	status_t status;
 
-	host = host_create_from_dns(address, AF_UNSPEC, port);
-	if (!host)
+	server_ip = host_create_from_dns(address, AF_UNSPEC, port);
+	if (!server_ip)
 	{
 		return 1;
 	}
-	server = identification_create_from_string(address);
-	client = identification_create_from_string(identity);
+
+	client_ip = host_create_any(server_ip->get_family(server_ip));
+	if (!client_ip)
+	{
+		server_ip->destroy(server_ip);
+		return 1;
+	}
+	server_id = identification_create_from_string(address);
+	client_id = identification_create_from_string(identity);
+
 	tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
-								server, client, TNC_IFT_TLS_2_0, NULL);
+								server_id, client_id, server_ip, client_ip,
+								TNC_IFT_TLS_2_0, NULL);
+	client_ip->destroy(client_ip);
+
 	if (!tnccs)
 	{
 		fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);
-		host->destroy(host);
-		server->destroy(server);
-		client->destroy(client);
+		server_ip->destroy(server_ip);
+		server_id->destroy(server_id);
+		client_id->destroy(client_id);
 		return 1;
 	}
-	assessment = pt_tls_client_create(host, server, client);
+	assessment = pt_tls_client_create(server_ip, server_id, client_id);
 	status = assessment->run_assessment(assessment, (tnccs_t*)tnccs);
 	assessment->destroy(assessment);
 	tnccs->destroy(tnccs);
-	return status;
+
+	return (status != SUCCESS);
 }
 
 
@@ -258,6 +270,7 @@ int main(int argc, char *argv[])
 			{"port",		required_argument,		NULL,		'p' },
 			{"cert",		required_argument,		NULL,		'x' },
 			{"key",			required_argument,		NULL,		'k' },
+			{"mutual",		no_argument,			NULL,		'm' },
 			{"quiet",		no_argument,			NULL,		'q' },
 			{"debug",		required_argument,		NULL,		'd' },
 			{"optionsfrom",	required_argument,		NULL,		'+' },
@@ -299,6 +312,10 @@ int main(int argc, char *argv[])
 			case 'p':			/* --port <port> */
 				port = atoi(optarg);
 				continue;
+			case 'm':			/* --mutual */
+				lib->settings->set_bool(lib->settings,
+								"%s.plugins.tnccs-20.mutual", TRUE, lib->ns);
+				continue;
 			case 'q':       	/* --quiet */
 				log_to_stderr = FALSE;
 				continue;
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 6a947efa6..bcc70cb1b 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -225,6 +225,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 88d362f6c..ee68adc21 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -271,6 +271,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -331,10 +332,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -408,6 +411,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index cea864a4a..aee55d94c 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -45,7 +45,7 @@ bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
 	VARCMP(mark_in.value);
 	VARCMP(mark_in.mask);
 	VARCMP(mark_out.value);
-	VARCMP(mark_in.mask);
+	VARCMP(mark_out.mask);
 	VARCMP(tfc);
 	VARCMP(sa_keying_tries);
 
diff --git a/src/starter/parser/lexer.c b/src/starter/parser/lexer.c
index 157b89c31..cebf5a06c 100644
--- a/src/starter/parser/lexer.c
+++ b/src/starter/parser/lexer.c
@@ -456,8 +456,8 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
 	yyg->yy_c_buf_p = yy_cp;
 
 /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */
-#define YY_NUM_RULES 28
-#define YY_END_OF_BUFFER 29
+#define YY_NUM_RULES 29
+#define YY_END_OF_BUFFER 30
 /* This struct is not used in this scanner,
    but its presence is necessary. */
 struct yy_trans_info
@@ -465,34 +465,35 @@ struct yy_trans_info
 	flex_int32_t yy_verify;
 	flex_int32_t yy_nxt;
 	};
-static yyconst flex_int16_t yy_accept[81] =
+static yyconst flex_int16_t yy_accept[83] =
     {   0,
-        0,    0,    0,    0,    0,    0,   29,   12,    3,    5,
+        0,    0,    0,    0,    0,    0,   30,   12,    3,    5,
        11,    4,    6,   12,   12,    2,   12,   12,   17,   13,
-       14,   15,   27,   19,   18,   20,   12,    3,    4,    4,
-        0,   12,    2,    0,    9,   12,   12,   17,   16,   27,
-       26,   24,   25,   21,   22,   23,   12,    0,   12,   12,
-       12,    0,   12,    8,   12,   12,    0,   12,   12,   12,
-        0,   12,   12,   12,    0,    0,   12,    0,    0,    0,
-       12,    0,    1,   10,   10,    0,    0,    0,    7,    0
+       14,   15,   28,   19,   18,   20,   12,    3,    4,    4,
+        0,   12,    2,    0,    9,   12,   12,   17,   16,   28,
+       27,   26,   27,   24,   25,   21,   22,   23,   12,    0,
+       12,   12,   12,    0,   12,    8,   12,   12,    0,   12,
+       12,   12,    0,   12,   12,   12,    0,    0,   12,    0,
+        0,    0,   12,    0,    1,   10,   10,    0,    0,    0,
+        7,    0
     } ;
 
 static yyconst flex_int32_t yy_ec[256] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    4,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    5,    1,    6,    7,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    4,    1,    5,    6,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        8,    1,    1,    9,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        7,    1,    1,    8,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    9,    1,    1,    1,    1,   10,   11,   12,   13,
+        1,   10,    1,    1,    1,    1,   11,   12,   13,   14,
 
-       14,   15,   16,    1,   17,    1,    1,   18,    1,   19,
-       20,   21,    1,   22,   23,   24,   25,   26,    1,    1,
-        1,    1,    1,    1,   27,    1,    1,    1,    1,    1,
+       15,   16,   17,    1,   18,    1,    1,   19,    1,   20,
+       21,   22,    1,   23,   24,   25,   26,   27,    1,    1,
+        1,    1,    1,    1,   28,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
@@ -509,106 +510,110 @@ static yyconst flex_int32_t yy_ec[256] =
         1,    1,    1,    1,    1
     } ;
 
-static yyconst flex_int32_t yy_meta[28] =
+static yyconst flex_int32_t yy_meta[29] =
     {   0,
-        1,    2,    3,    2,    4,    2,    5,    1,    6,    1,
+        1,    2,    3,    1,    2,    4,    2,    5,    1,    6,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1
+        1,    1,    1,    1,    1,    1,    1,    1
     } ;
 
-static yyconst flex_int16_t yy_base[92] =
+static yyconst flex_int16_t yy_base[94] =
     {   0,
-        0,   16,   41,   49,    6,    7,  141,    0,   23,  172,
-      172,    0,  172,  134,  120,   30,   20,  120,    0,  172,
-      172,   33,    0,  172,  172,   50,    0,   60,    0,    0,
-        0,  118,   69,  115,    0,  109,  105,    0,  172,    0,
-      172,  172,  172,  172,  172,  172,   76,   71,   16,   69,
-       66,   67,   72,    0,   71,   74,   69,   69,   64,   69,
-       62,   77,   61,   55,   60,   54,   94,   66,   64,   49,
-      100,   46,  172,  172,   74,   24,   16,    5,  172,  172,
-      107,  113,  119,  125,  131,  137,  142,  147,  153,  159,
-      165
+        0,   17,   43,   52,    7,   26,  102,    0,    9,  189,
+      189,    0,  189,   93,   79,   36,   10,   83,    0,  189,
+      189,   59,    0,  189,  189,   85,    0,   32,    0,    0,
+        0,   83,   65,   80,    0,   74,   70,    0,  189,    0,
+      189,  189,   88,  189,  189,  189,  189,  189,   71,   63,
+       31,   61,   58,   59,   64,    0,   63,   66,   61,   61,
+       56,   60,   53,   64,   41,   10,   40,   32,  109,   66,
+       49,   27,  116,   37,  189,  189,   71,    8,    2,    5,
+      189,  189,  124,  130,  136,  142,  148,  154,  159,  164,
+      170,  176,  182
 
     } ;
 
-static yyconst flex_int16_t yy_def[92] =
+static yyconst flex_int16_t yy_def[94] =
     {   0,
-       81,   81,   82,   82,   83,   83,   80,   84,   80,   80,
-       80,   85,   80,   84,   84,   80,   84,   84,   86,   80,
-       80,   80,   87,   80,   80,   88,   84,   80,   85,   85,
-       84,   84,   80,   80,   84,   84,   84,   86,   80,   87,
-       80,   80,   80,   80,   80,   80,   84,   80,   84,   84,
-       84,   80,   84,   84,   84,   84,   80,   84,   84,   84,
-       80,   84,   84,   84,   80,   80,   89,   90,   91,   80,
-       89,   91,   80,   80,   90,   80,   80,   80,   80,    0,
-       80,   80,   80,   80,   80,   80,   80,   80,   80,   80,
-       80
+       83,   83,   84,   84,   85,   85,   82,   86,   82,   82,
+       82,   87,   82,   86,   86,   82,   86,   86,   88,   82,
+       82,   82,   89,   82,   82,   90,   86,   82,   87,   87,
+       86,   86,   82,   82,   86,   86,   86,   88,   82,   89,
+       82,   82,   82,   82,   82,   82,   82,   82,   86,   82,
+       86,   86,   86,   82,   86,   86,   86,   86,   82,   86,
+       86,   86,   82,   86,   86,   86,   82,   82,   91,   92,
+       93,   82,   91,   93,   82,   82,   92,   82,   82,   82,
+       82,    0,   82,   82,   82,   82,   82,   82,   82,   82,
+       82,   82,   82
 
     } ;
 
-static yyconst flex_int16_t yy_nxt[200] =
+static yyconst flex_int16_t yy_nxt[218] =
     {   0,
-       80,    9,   10,    9,   11,   12,   13,   14,   24,   24,
-       25,   25,   80,   80,   26,   26,   15,   16,   10,   16,
-       11,   12,   13,   14,   28,   79,   28,   17,   29,   35,
-       53,   33,   15,   33,   54,   29,   39,   39,   39,   36,
-       78,   18,   20,   20,   20,   21,   20,   77,   73,   22,
-       20,   20,   20,   21,   20,   34,   68,   22,   68,   39,
-       42,   28,   76,   28,   43,   29,   73,   75,   44,   75,
-       33,   45,   33,   46,   29,   75,   70,   75,   69,   67,
-       66,   65,   64,   63,   62,   61,   60,   59,   58,   57,
-       56,   55,   52,   51,   34,   72,   73,   72,   72,   72,
-
-       72,   72,   73,   72,   72,   72,   72,    8,    8,    8,
-        8,    8,    8,   19,   19,   19,   19,   19,   19,   23,
-       23,   23,   23,   23,   23,   27,   50,   49,   48,   47,
-       27,   30,   30,   37,   30,   30,   30,   38,   32,   31,
-       80,   38,   40,   40,   80,   80,   40,   41,   41,   41,
-       41,   41,   41,   71,   71,   71,   71,   71,   71,   74,
-       74,   74,   74,   80,   74,   72,   72,   72,   72,   72,
-       72,    7,   80,   80,   80,   80,   80,   80,   80,   80,
-       80,   80,   80,   80,   80,   80,   80,   80,   80,   80,
-       80,   80,   80,   80,   80,   80,   80,   80,   80
-
+       82,    9,   10,   82,    9,   11,   12,   13,   14,   24,
+       28,   70,   25,   28,   70,   29,   26,   15,   16,   10,
+       35,   16,   11,   12,   13,   14,   81,   80,   24,   17,
+       36,   25,   79,   28,   15,   26,   28,   33,   29,   75,
+       33,   78,   29,   18,   20,   20,   55,   20,   21,   20,
+       56,   75,   22,   20,   20,   72,   20,   21,   20,   71,
+       69,   22,   34,   39,   39,   39,   33,   77,   68,   33,
+       77,   29,   77,   67,   66,   77,   65,   64,   63,   62,
+       61,   60,   59,   58,   57,   54,   39,   42,   43,   53,
+       42,   34,   52,   51,   50,   49,   44,   37,   32,   31,
+
+       45,   82,   82,   82,   46,   82,   82,   47,   82,   48,
+       74,   75,   82,   74,   74,   74,   74,   74,   75,   82,
+       74,   74,   74,   74,    8,    8,    8,    8,    8,    8,
+       19,   19,   19,   19,   19,   19,   23,   23,   23,   23,
+       23,   23,   27,   82,   82,   82,   82,   27,   30,   30,
+       82,   30,   30,   30,   38,   82,   82,   82,   38,   40,
+       40,   82,   82,   40,   41,   41,   41,   41,   41,   41,
+       73,   73,   73,   73,   73,   73,   76,   76,   76,   76,
+       82,   76,   74,   74,   74,   74,   74,   74,    7,   82,
+       82,   82,   82,   82,   82,   82,   82,   82,   82,   82,
+
+       82,   82,   82,   82,   82,   82,   82,   82,   82,   82,
+       82,   82,   82,   82,   82,   82,   82
     } ;
 
-static yyconst flex_int16_t yy_chk[200] =
+static yyconst flex_int16_t yy_chk[218] =
     {   0,
-        0,    1,    1,    1,    1,    1,    1,    1,    5,    6,
-        5,    6,    0,    0,    5,    6,    1,    2,    2,    2,
-        2,    2,    2,    2,    9,   78,    9,    2,    9,   17,
-       49,   16,    2,   16,   49,   16,   22,   22,   22,   17,
-       77,    2,    3,    3,    3,    3,    3,   76,   72,    3,
-        4,    4,    4,    4,    4,   16,   64,    4,   64,   22,
-       26,   28,   70,   28,   26,   28,   69,   68,   26,   68,
-       33,   26,   33,   26,   33,   75,   66,   75,   65,   63,
-       62,   61,   60,   59,   58,   57,   56,   55,   53,   52,
-       51,   50,   48,   47,   33,   67,   67,   67,   67,   67,
-
-       67,   71,   71,   71,   71,   71,   71,   81,   81,   81,
-       81,   81,   81,   82,   82,   82,   82,   82,   82,   83,
-       83,   83,   83,   83,   83,   84,   37,   36,   34,   32,
-       84,   85,   85,   18,   85,   85,   85,   86,   15,   14,
-        7,   86,   87,   87,    0,    0,   87,   88,   88,   88,
-       88,   88,   88,   89,   89,   89,   89,   89,   89,   90,
-       90,   90,   90,    0,   90,   91,   91,   91,   91,   91,
-       91,   80,   80,   80,   80,   80,   80,   80,   80,   80,
-       80,   80,   80,   80,   80,   80,   80,   80,   80,   80,
-       80,   80,   80,   80,   80,   80,   80,   80,   80
-
+        0,    1,    1,    0,    1,    1,    1,    1,    1,    5,
+        9,   66,    5,    9,   66,    9,    5,    1,    2,    2,
+       17,    2,    2,    2,    2,    2,   80,   79,    6,    2,
+       17,    6,   78,   28,    2,    6,   28,   16,   28,   74,
+       16,   72,   16,    2,    3,    3,   51,    3,    3,    3,
+       51,   71,    3,    4,    4,   68,    4,    4,    4,   67,
+       65,    4,   16,   22,   22,   22,   33,   70,   64,   33,
+       70,   33,   77,   63,   62,   77,   61,   60,   59,   58,
+       57,   55,   54,   53,   52,   50,   22,   26,   26,   49,
+       43,   33,   37,   36,   34,   32,   26,   18,   15,   14,
+
+       26,    7,    0,    0,   26,    0,    0,   26,    0,   26,
+       69,   69,    0,   69,   69,   69,   69,   73,   73,    0,
+       73,   73,   73,   73,   83,   83,   83,   83,   83,   83,
+       84,   84,   84,   84,   84,   84,   85,   85,   85,   85,
+       85,   85,   86,    0,    0,    0,    0,   86,   87,   87,
+        0,   87,   87,   87,   88,    0,    0,    0,   88,   89,
+       89,    0,    0,   89,   90,   90,   90,   90,   90,   90,
+       91,   91,   91,   91,   91,   91,   92,   92,   92,   92,
+        0,   92,   93,   93,   93,   93,   93,   93,   82,   82,
+       82,   82,   82,   82,   82,   82,   82,   82,   82,   82,
+
+       82,   82,   82,   82,   82,   82,   82,   82,   82,   82,
+       82,   82,   82,   82,   82,   82,   82
     } ;
 
 /* Table of booleans, true if rule could match eol. */
-static yyconst flex_int32_t yy_rule_can_match_eol[29] =
+static yyconst flex_int32_t yy_rule_can_match_eol[30] =
     {   0,
 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 
-    1, 0, 0, 0, 0, 0, 1, 0, 0,     };
+    1, 0, 0, 0, 0, 0, 1, 0, 0, 0,     };
 
-static yyconst flex_int16_t yy_rule_linenum[28] =
+static yyconst flex_int16_t yy_rule_linenum[29] =
     {   0,
        60,   61,   62,   63,   65,   67,   68,   69,   70,   72,
        77,   82,   90,  109,  112,  115,  118,  124,  126,  127,
-      150,  151,  152,  153,  154,  155,  158
+      150,  151,  152,  153,  154,  155,  156,  157
     } ;
 
 /* The intent behind this definition is that it'll catch
@@ -657,7 +662,7 @@ static void include_files(parser_helper_t *ctx);
 
 /* state used to scan quoted strings */
 
-#line 661 "parser/lexer.c"
+#line 666 "parser/lexer.c"
 
 #define INITIAL 0
 #define inc 1
@@ -972,7 +977,7 @@ YY_DECL
 #line 58 "parser/lexer.l"
 
 
-#line 976 "parser/lexer.c"
+#line 981 "parser/lexer.c"
 
     yylval = yylval_param;
 
@@ -1038,13 +1043,13 @@ yy_match:
 			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 				{
 				yy_current_state = (int) yy_def[yy_current_state];
-				if ( yy_current_state >= 81 )
+				if ( yy_current_state >= 83 )
 					yy_c = yy_meta[(unsigned int) yy_c];
 				}
 			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
 			++yy_cp;
 			}
-		while ( yy_base[yy_current_state] != 172 );
+		while ( yy_base[yy_current_state] != 189 );
 
 yy_find_action:
 /* %% [10.0] code to find the action number goes here */
@@ -1079,13 +1084,13 @@ do_action:	/* This label is used only to access EOF actions. */
 			{
 			if ( yy_act == 0 )
 				fprintf( stderr, "--scanner backing up\n" );
-			else if ( yy_act < 28 )
+			else if ( yy_act < 29 )
 				fprintf( stderr, "--accepting rule at line %ld (\"%s\")\n",
 				         (long)yy_rule_linenum[yy_act], yytext );
-			else if ( yy_act == 28 )
+			else if ( yy_act == 29 )
 				fprintf( stderr, "--accepting default rule (\"%s\")\n",
 				         yytext );
-			else if ( yy_act == 29 )
+			else if ( yy_act == 30 )
 				fprintf( stderr, "--(end of buffer or a NUL)\n" );
 			else
 				fprintf( stderr, "--EOF (start condition %d)\n", YY_START );
@@ -1300,20 +1305,23 @@ case 26:
 /* rule 26 can match eol */
 YY_RULE_SETUP
 #line 155 "parser/lexer.l"
-{
-		yyextra->string_add(yyextra, yytext+1);
-	}
+/* merge lines that end with EOL characters */
 	YY_BREAK
 case 27:
 YY_RULE_SETUP
-#line 158 "parser/lexer.l"
+#line 156 "parser/lexer.l"
+yyextra->string_add(yyextra, yytext+1);
+	YY_BREAK
+case 28:
+YY_RULE_SETUP
+#line 157 "parser/lexer.l"
 {
 		yyextra->string_add(yyextra, yytext);
 	}
 	YY_BREAK
 
 case YY_STATE_EOF(INITIAL):
-#line 163 "parser/lexer.l"
+#line 162 "parser/lexer.l"
 {
 	conf_parser_pop_buffer_state(yyscanner);
 	if (!conf_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER)
@@ -1322,12 +1330,12 @@ case YY_STATE_EOF(INITIAL):
 	}
 }
 	YY_BREAK
-case 28:
+case 29:
 YY_RULE_SETUP
-#line 171 "parser/lexer.l"
+#line 170 "parser/lexer.l"
 YY_FATAL_ERROR( "flex scanner jammed" );
 	YY_BREAK
-#line 1331 "parser/lexer.c"
+#line 1339 "parser/lexer.c"
 
 	case YY_END_OF_BUFFER:
 		{
@@ -1641,7 +1649,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 			{
 			yy_current_state = (int) yy_def[yy_current_state];
-			if ( yy_current_state >= 81 )
+			if ( yy_current_state >= 83 )
 				yy_c = yy_meta[(unsigned int) yy_c];
 			}
 		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
@@ -1675,11 +1683,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
 	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 		{
 		yy_current_state = (int) yy_def[yy_current_state];
-		if ( yy_current_state >= 81 )
+		if ( yy_current_state >= 83 )
 			yy_c = yy_meta[(unsigned int) yy_c];
 		}
 	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-	yy_is_jam = (yy_current_state == 80);
+	yy_is_jam = (yy_current_state == 82);
 
 	return yy_is_jam ? 0 : yy_current_state;
 }
@@ -2697,7 +2705,7 @@ void conf_parser_free (void * ptr , yyscan_t yyscanner)
 
 /* %ok-for-header */
 
-#line 171 "parser/lexer.l"
+#line 170 "parser/lexer.l"
 
 
 
diff --git a/src/starter/parser/lexer.l b/src/starter/parser/lexer.l
index a88cbe809..d967e745b 100644
--- a/src/starter/parser/lexer.l
+++ b/src/starter/parser/lexer.l
@@ -152,9 +152,8 @@ static void include_files(parser_helper_t *ctx);
 	\\t     yyextra->string_add(yyextra, "\t");
 	\\b     yyextra->string_add(yyextra, "\b");
 	\\f     yyextra->string_add(yyextra, "\f");
-	\\(.|\n)			{
-		yyextra->string_add(yyextra, yytext+1);
-	}
+	\\\r?\n /* merge lines that end with EOL characters */
+	\\.     yyextra->string_add(yyextra, yytext+1);
 	[^\\\n"]+			{
 		yyextra->string_add(yyextra, yytext);
 	}
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 1e305db8b..6e1f1605d 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -35,10 +35,16 @@ static char* push_string(stroke_msg_t *msg, char *string)
 {
 	unsigned long string_start = msg->length;
 
-	if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
+	if (string == NULL)
 	{
 		return NULL;
 	}
+	else if ((size_t)msg->length + strlen(string) >= sizeof(stroke_msg_t))
+	{
+		/* set invalid length to fail during message send */
+		msg->length = ~0;
+		return NULL;
+	}
 	else
 	{
 		msg->length += strlen(string) + 1;
@@ -53,6 +59,12 @@ static int send_stroke_msg (stroke_msg_t *msg)
 	char *uri, buffer[64];
 	int count;
 
+	if (msg->length > sizeof(stroke_msg_t))
+	{
+		DBG1(DBG_APP, "stroke message exceeds buffer size");
+		return -1;
+	}
+
 	/* starter is not called from commandline, and therefore absolutely silent */
 	msg->output_verbosity = -1;
 
diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in
index d42a0d286..b26125501 100644
--- a/src/starter/tests/Makefile.in
+++ b/src/starter/tests/Makefile.in
@@ -223,6 +223,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -283,10 +284,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -360,6 +363,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 9c041dfbf..c32ebf905 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -197,6 +197,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -257,10 +258,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -334,6 +337,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 60886cf7f..c2b923f6d 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -32,7 +32,7 @@
  */
 #define STROKE_SOCKET IPSEC_PIDDIR "/charon.ctl"
 
-#define STROKE_BUF_LEN		2048
+#define STROKE_BUF_LEN		4096
 
 typedef enum list_flag_t list_flag_t;
 
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index b84d70587..f4f9fdf7e 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -65,4 +65,5 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
+	test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
 	test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index 649e6d8ae..f981bb1f3 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -238,6 +238,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -298,10 +299,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,6 +378,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -991,6 +996,7 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
+	test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
 	test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c
index 31ab9c40a..019c88888 100644
--- a/src/swanctl/commands/list_conns.c
+++ b/src/swanctl/commands/list_conns.c
@@ -103,7 +103,7 @@ CALLBACK(conn_sn, int,
 	{
 		return vici_parse_cb(res, children_sn, NULL, NULL, NULL);
 	}
-	if (streq(name, "local") || streq(name, "remote"))
+	if (strpfx(name, "local") || strpfx(name, "remote"))
 	{
 		hashtable_t *auth;
 
@@ -112,7 +112,8 @@ CALLBACK(conn_sn, int,
 		if (ret == 0)
 		{
 			printf("  %s %s authentication:\n",
-				name, auth->get(auth, "class") ?: "unspecified");
+				strpfx(name, "local") ? "local" : "remote",
+				auth->get(auth, "class") ?: "unspecified");
 			if (auth->get(auth, "id"))
 			{
 				printf("    id: %s\n", auth->get(auth, "id"));
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index 35e7469a9..81e1b7cca 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -86,8 +86,8 @@ CALLBACK(child_sas, int,
 	ret = vici_parse_cb(res, NULL, sa_values, sa_list, child);
 	if (ret == 0)
 	{
-		printf("  %s: #%s, %s, %s%s, %s:",
-			name, child->get(child, "reqid"),
+		printf("  %s: #%s, reqid %s, %s, %s%s, %s:",
+			name, child->get(child, "uniqueid"), child->get(child, "reqid"),
 			child->get(child, "state"), child->get(child, "mode"),
 			child->get(child, "encap") ? "-in-UDP" : "",
 			child->get(child, "protocol"));
@@ -122,7 +122,7 @@ CALLBACK(child_sas, int,
 		}
 		if (child->get(child, "esn"))
 		{
-			printf("/%s", child->get(child, "esn"));
+			printf("/ESN");
 		}
 		printf("\n");
 
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index de30d8eb4..6ee8b8785 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -93,11 +93,12 @@ static void add_list_key(vici_req_t *req, char *key, char *value)
 /**
  * Add a vici list of blobs from a comma separated file list
  */
-static void add_file_list_key(vici_req_t *req, char *key, char *value)
+static bool add_file_list_key(vici_req_t *req, char *key, char *value)
 {
 	enumerator_t *enumerator;
 	chunk_t *map;
 	char *token, buf[PATH_MAX];
+	bool ret = TRUE;
 
 	vici_begin_list(req, key);
 	enumerator = enumerator_create_token(value, ",", " ");
@@ -127,21 +128,26 @@ static void add_file_list_key(vici_req_t *req, char *key, char *value)
 		}
 		else
 		{
-			fprintf(stderr, "loading certificate '%s' failed: %s\n",
-					token, strerror(errno));
+			fprintf(stderr, "loading %s certificate '%s' failed: %s\n",
+					key, token, strerror(errno));
+			ret = FALSE;
+			break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	vici_end_list(req);
+
+	return ret;
 }
 
 /**
  * Translate setting key/values from a section into vici key-values/lists
  */
-static void add_key_values(vici_req_t *req, settings_t *cfg, char *section)
+static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section)
 {
 	enumerator_t *enumerator;
 	char *key, *value;
+	bool ret = TRUE;
 
 	enumerator = cfg->create_key_value_enumerator(cfg, section);
 	while (enumerator->enumerate(enumerator, &key, &value))
@@ -152,34 +158,51 @@ static void add_key_values(vici_req_t *req, settings_t *cfg, char *section)
 		}
 		else if (is_file_list_key(key))
 		{
-			add_file_list_key(req, key, value);
+			ret = add_file_list_key(req, key, value);
 		}
 		else
 		{
 			vici_add_key_valuef(req, key, "%s", value);
 		}
+		if (!ret)
+		{
+			break;
+		}
 	}
 	enumerator->destroy(enumerator);
+
+	return ret;
 }
 
 /**
  * Translate a settings section to a vici section
  */
-static void add_sections(vici_req_t *req, settings_t *cfg, char *section)
+static bool add_sections(vici_req_t *req, settings_t *cfg, char *section)
 {
 	enumerator_t *enumerator;
 	char *name, buf[256];
+	bool ret = TRUE;
 
 	enumerator = cfg->create_section_enumerator(cfg, section);
 	while (enumerator->enumerate(enumerator, &name))
 	{
 		vici_begin_section(req, name);
 		snprintf(buf, sizeof(buf), "%s.%s", section, name);
-		add_key_values(req, cfg, buf);
-		add_sections(req, cfg, buf);
+		ret = add_key_values(req, cfg, buf);
+		if (!ret)
+		{
+			break;
+		}
+		ret = add_sections(req, cfg, buf);
+		if (!ret)
+		{
+			break;
+		}
 		vici_end_section(req);
 	}
 	enumerator->destroy(enumerator);
+
+	return ret;
 }
 
 /**
@@ -198,8 +221,12 @@ static bool load_conn(vici_conn_t *conn, settings_t *cfg,
 	req = vici_begin("load-conn");
 
 	vici_begin_section(req, section);
-	add_key_values(req, cfg, buf);
-	add_sections(req, cfg, buf);
+	if (!add_key_values(req, cfg, buf) ||
+		!add_sections(req, cfg, buf))
+	{
+		vici_free_req(req);
+		return FALSE;
+	}
 	vici_end_section(req);
 
 	res = vici_submit(req, conn);
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 86ee3c179..d2ebc22eb 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -25,6 +25,7 @@
 
 #include <credentials/sets/mem_cred.h>
 #include <credentials/sets/callback_cred.h>
+#include <credentials/containers/pkcs12.h>
 
 /**
  * Load a single certificate over vici
@@ -60,7 +61,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
 	}
 	else
 	{
-		printf("loaded %s certificate '%s'\n", type, dir);
+		printf("loaded %s certificate from '%s'\n", type, dir);
 	}
 	vici_free_res(res);
 	return ret;
@@ -113,7 +114,14 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
 
 	req = vici_begin("load-key");
 
-	vici_add_key_valuef(req, "type", "%s", type);
+	if (streq(type, "pkcs8"))
+	{	/* as used by vici */
+		vici_add_key_valuef(req, "type", "any");
+	}
+	else
+	{
+		vici_add_key_valuef(req, "type", "%s", type);
+	}
 	vici_add_key_value(req, "data", data.ptr, data.len);
 
 	res = vici_submit(req, conn);
@@ -135,20 +143,59 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
 	}
 	else
 	{
-		printf("loaded %s key '%s'\n", type, dir);
+		printf("loaded %s key from '%s'\n", type, dir);
 	}
 	vici_free_res(res);
 	return ret;
 }
 
 /**
+ * Load a private key of any type to vici
+ */
+static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
+							 char *path, private_key_t *private)
+{
+	bool loaded = FALSE;
+	chunk_t encoding;
+
+	if (!private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding))
+	{
+		fprintf(stderr, "encoding private key from '%s' failed\n", path);
+		return FALSE;
+	}
+	switch (private->get_type(private))
+	{
+		case KEY_RSA:
+			loaded = load_key(conn, format, path, "rsa", encoding);
+			break;
+		case KEY_ECDSA:
+			loaded = load_key(conn, format, path, "ecdsa", encoding);
+			break;
+		default:
+			fprintf(stderr, "unsupported key type in '%s'\n", path);
+			break;
+	}
+	chunk_clear(&encoding);
+	return loaded;
+}
+
+/**
+ * Data passed to password callback
+ */
+typedef struct {
+	char prompt[128];
+	mem_cred_t *cache;
+} cb_data_t;
+
+/**
  * Callback function to prompt for private key passwords
  */
 CALLBACK(password_cb, shared_key_t*,
-	char *prompt, shared_key_type_t type,
+	cb_data_t *data, shared_key_type_t type,
 	identification_t *me, identification_t *other,
 	id_match_t *match_me, id_match_t *match_other)
 {
+	shared_key_t *shared;
 	char *pwd = NULL;
 
 	if (type != SHARED_PRIVATE_KEY_PASS)
@@ -156,7 +203,7 @@ CALLBACK(password_cb, shared_key_t*,
 		return NULL;
 	}
 #ifdef HAVE_GETPASS
-	pwd = getpass(prompt);
+	pwd = getpass(data->prompt);
 #endif
 	if (!pwd || strlen(pwd) == 0)
 	{
@@ -170,65 +217,94 @@ CALLBACK(password_cb, shared_key_t*,
 	{
 		*match_other = ID_MATCH_PERFECT;
 	}
-	return shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
+	shared = shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
+	/* cache secret if it is required more than once (PKCS#12) */
+	data->cache->add_shared(data->cache, shared, NULL);
+	return shared->get_ref(shared);
 }
 
 /**
- * Try to parse a potentially encrypted private key using password prompt
+ * Determine credential type and subtype from a type string
  */
-static private_key_t* decrypt_key(char *name, char *type, chunk_t encoding)
+static bool determine_credtype(char *type, credential_type_t *credtype,
+							   int *subtype)
 {
-	key_type_t kt = KEY_ANY;
-	private_key_t *private;
-	callback_cred_t *cb;
-	char buf[128];
+	struct {
+		char *type;
+		credential_type_t credtype;
+		int subtype;
+	} map[] = {
+		{ "pkcs8",			CRED_PRIVATE_KEY,		KEY_ANY,			},
+		{ "rsa",			CRED_PRIVATE_KEY,		KEY_RSA,			},
+		{ "ecdsa",			CRED_PRIVATE_KEY,		KEY_ECDSA,			},
+		{ "pkcs12",			CRED_CONTAINER,			CONTAINER_PKCS12,	},
+	};
+	int i;
 
-	if (streq(type, "rsa"))
+	for (i = 0; i < countof(map); i++)
 	{
-		kt = KEY_RSA;
+		if (streq(map[i].type, type))
+		{
+			*credtype = map[i].credtype;
+			*subtype = map[i].subtype;
+			return TRUE;
+		}
 	}
-	else if (streq(type, "ecdsa"))
+	return FALSE;
+}
+
+/**
+ * Try to parse a potentially encrypted credential using password prompt
+ */
+static void* decrypt(char *name, char *type, chunk_t encoding)
+{
+	credential_type_t credtype;
+	int subtype;
+	void *cred;
+	callback_cred_t *cb;
+	cb_data_t data;
+
+	if (!determine_credtype(type, &credtype, &subtype))
 	{
-		kt = KEY_ECDSA;
+		return NULL;
 	}
 
-	snprintf(buf, sizeof(buf), "Password for '%s': ", name);
+	snprintf(data.prompt, sizeof(data.prompt), "Password for %s file '%s': ",
+			 type, name);
 
-	cb = callback_cred_create_shared(password_cb, buf);
+	data.cache = mem_cred_create();
+	lib->credmgr->add_set(lib->credmgr, &data.cache->set);
+	cb = callback_cred_create_shared(password_cb, &data);
 	lib->credmgr->add_set(lib->credmgr, &cb->set);
 
-	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt,
-								 BUILD_BLOB_PEM, encoding, BUILD_END);
+	cred = lib->creds->create(lib->creds, credtype, subtype,
+							  BUILD_BLOB_PEM, encoding, BUILD_END);
 
+	lib->credmgr->remove_set(lib->credmgr, &data.cache->set);
+	data.cache->destroy(data.cache);
 	lib->credmgr->remove_set(lib->credmgr, &cb->set);
 	cb->destroy(cb);
 
-	return private;
+	return cred;
 }
 
 /**
- * Try to parse a potentially encrypted private key using configured secret
+ * Try to parse a potentially encrypted credential using configured secret
  */
-static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name,
-											  char *type, chunk_t encoding)
-{	key_type_t kt = KEY_ANY;
+static void* decrypt_with_config(settings_t *cfg, char *name, char *type,
+								 chunk_t encoding)
+{
+	credential_type_t credtype;
+	int subtype;
 	enumerator_t *enumerator, *secrets;
 	char *section, *key, *value, *file, buf[128];
 	shared_key_t *shared;
-	private_key_t *private = NULL;
+	void *cred = NULL;
 	mem_cred_t *mem = NULL;
 
-	if (streq(type, "rsa"))
-	{
-		kt = KEY_RSA;
-	}
-	else if (streq(type, "ecdsa"))
-	{
-		kt = KEY_ECDSA;
-	}
-	else
+	if (!determine_credtype(type, &credtype, &subtype))
 	{
-		type = "pkcs8";
+		return NULL;
 	}
 
 	/* load all secrets for this key type */
@@ -265,12 +341,12 @@ static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name,
 	{
 		lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
 
-		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt,
-									 BUILD_BLOB_PEM, encoding, BUILD_END);
+		cred = lib->creds->create(lib->creds, credtype, subtype,
+								  BUILD_BLOB_PEM, encoding, BUILD_END);
 
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
 
-		if (!private)
+		if (!cred)
 		{
 			fprintf(stderr, "configured decryption secret for '%s' invalid\n",
 					name);
@@ -279,7 +355,7 @@ static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name,
 		mem->destroy(mem);
 	}
 
-	return private;
+	return cred;
 }
 
 /**
@@ -292,30 +368,15 @@ static bool load_encrypted_key(vici_conn_t *conn,
 {
 	private_key_t *private;
 	bool loaded = FALSE;
-	chunk_t encoding;
 
-	private = decrypt_key_with_config(cfg, rel, type, data);
+	private = decrypt_with_config(cfg, rel, type, data);
 	if (!private && !noprompt)
 	{
-		private = decrypt_key(rel, type, data);
+		private = decrypt(rel, type, data);
 	}
 	if (private)
 	{
-		if (private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding))
-		{
-			switch (private->get_type(private))
-			{
-				case KEY_RSA:
-					loaded = load_key(conn, format, path, "rsa", encoding);
-					break;
-				case KEY_ECDSA:
-					loaded = load_key(conn, format, path, "ecdsa", encoding);
-					break;
-				default:
-					break;
-			}
-			chunk_clear(&encoding);
-		}
+		loaded = load_key_anytype(conn, format, path, private);
 		private->destroy(private);
 	}
 	return loaded;
@@ -361,6 +422,114 @@ static void load_keys(vici_conn_t *conn, command_format_options_t format,
 }
 
 /**
+ * Load credentials from a PKCS#12 container over vici
+ */
+static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
+						char *path, pkcs12_t *p12)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	private_key_t *private;
+	chunk_t encoding;
+	bool loaded = TRUE;
+
+	enumerator = p12->create_cert_enumerator(p12);
+	while (loaded && enumerator->enumerate(enumerator, &cert))
+	{
+		loaded = FALSE;
+		if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+		{
+			loaded = load_cert(conn, format, path, "x509", encoding);
+			if (loaded)
+			{
+				fprintf(stderr, "  %Y\n", cert->get_subject(cert));
+			}
+			free(encoding.ptr);
+		}
+		else
+		{
+			fprintf(stderr, "encoding certificate from '%s' failed\n", path);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = p12->create_key_enumerator(p12);
+	while (loaded && enumerator->enumerate(enumerator, &private))
+	{
+		loaded = load_key_anytype(conn, format, path, private);
+	}
+	enumerator->destroy(enumerator);
+
+	return loaded;
+}
+
+/**
+ * Try to decrypt and load credentials from a container
+ */
+static bool load_encrypted_container(vici_conn_t *conn,
+					command_format_options_t format, settings_t *cfg, char *rel,
+					char *path, char *type, bool noprompt, chunk_t data)
+{
+	container_t *container;
+	bool loaded = FALSE;
+
+	container = decrypt_with_config(cfg, rel, type, data);
+	if (!container && !noprompt)
+	{
+		container = decrypt(rel, type, data);
+	}
+	if (container)
+	{
+		switch (container->get_type(container))
+		{
+			case CONTAINER_PKCS12:
+				loaded = load_pkcs12(conn, format, path, (pkcs12_t*)container);
+				break;
+			default:
+				break;
+		}
+		container->destroy(container);
+	}
+	return loaded;
+}
+
+/**
+ * Load credential containers from a directory
+ */
+static void load_containers(vici_conn_t *conn, command_format_options_t format,
+						bool noprompt, settings_t *cfg, char *type, char *dir)
+{
+	enumerator_t *enumerator;
+	struct stat st;
+	chunk_t *map;
+	char *path, *rel;
+
+	enumerator = enumerator_create_directory(dir);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &rel, &path, &st))
+		{
+			if (S_ISREG(st.st_mode))
+			{
+				map = chunk_map(path, FALSE);
+				if (map)
+				{
+					load_encrypted_container(conn, format, cfg, rel, path,
+											 type, noprompt, *map);
+					chunk_unmap(map);
+				}
+				else
+				{
+					fprintf(stderr, "mapping '%s' failed: %s, skipped\n",
+							path, strerror(errno));
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
  * Load a single secret over VICI
  */
 static bool load_secret(vici_conn_t *conn, settings_t *cfg,
@@ -380,6 +549,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
 		"rsa",
 		"ecdsa",
 		"pkcs8",
+		"pkcs12",
 	};
 
 	for (i = 0; i < countof(types); i++)
@@ -510,7 +680,9 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
 
 	load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
 	load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
-	load_keys(conn, format, noprompt, cfg, "any", SWANCTL_PKCS8DIR);
+	load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
+
+	load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
 
 	enumerator = cfg->create_section_enumerator(cfg, "secrets");
 	while (enumerator->enumerate(enumerator, &section))
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 0808cf58b..faafecc44 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -286,6 +286,18 @@
 
     # }
 
+    # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
+    # pkcs12<suffix> {
+
+        # File name in the pkcs12 folder for which this passphrase should be
+        # used.
+        # file =
+
+        # Value of decryption passphrase for PKCS#12 container.
+        # secret =
+
+    # }
+
 # }
 
 # Section defining named pools.
@@ -294,7 +306,7 @@
     # Section defining a single pool with a unique name.
     # <name> {
 
-        # Subnet defining addresses allocated in pool.
+        # Addresses allocated in pool.
         # addrs =
 
         # Comma separated list of additional attributes from type <attr>.
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 8943b62db..a770b28b1 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -251,7 +251,12 @@ performs a reauthentication procedure instead.
 With the default value IKE rekeying is scheduled every 4 hours, minus the
 configured
 .RB "" "rand_time" "."
-
+If a
+.RB "" "reauth_time" ""
+is configured,
+.RB "" "rekey_time" ""
+defaults to zero disabling rekeying; explicitly set both to enforce rekeying and
+reauthentication.
 
 .TP
 .BR connections.<conn>.over_time " [10% of rekey_time/reauth_time]"
@@ -363,6 +368,37 @@ IKE identity to use for authentication round. When using certificate
 authentication, the IKE identity must be contained in the certificate, either as
 subject or as subjectAltName.
 
+The identity can be an IP address, a fully\-qualified domain name, an email
+address or a Distinguished Name for which the ID type is determined
+automatically and the string is converted to the appropriate encoding. To
+enforce a specific identity type, a prefix may be used, followed by a colon (:).
+If the number sign (#) follows the colon, the remaining data is interpreted as
+hex encoding, otherwise the string is used as\-is as the identification data.
+Note that this implies that no conversion is performed for non\-string
+identities. For example,
+.RI "" "ipv4:10.0.0.1" ""
+does not create a valid ID_IPV4_ADDR
+IKE identity, as it does not get converted to binary 0x0a000001. Instead, one
+could use
+.RI "" "ipv4:#0a000001" ""
+to get a valid identity, but just using the implicit
+type with automatic conversion is usually simpler. The same applies to the ASN1
+encoded types. The following prefixes are known:
+.RI "" "ipv4" ","
+.RI "" "ipv6" ","
+.RI "" "rfc822" ","
+.RI "" "email" ","
+.RI "" "userfqdn" ","
+.RI "" "fqdn" ","
+.RI "" "dns" ","
+.RI "" "asn1dn" ","
+.RI "" "asn1gn" ""
+and
+.RI "" "keyid" "."
+Custom type
+prefixes may be specified by surrounding the numerical type value by curly
+brackets.
+
 .TP
 .BR connections.<conn>.local<suffix>.eap_id " [id]"
 Client EAP\-Identity to use in EAP\-Identity exchange and the EAP method.
@@ -397,9 +433,10 @@ omitted.
 
 .TP
 .BR connections.<conn>.remote<suffix>.id " [%any]"
-IKE identity to expect for authentication round. When using certificate
-authentication, the IKE identity must be contained in the certificate, either as
-subject or as subjectAltName.
+IKE identity to expect for authentication round. Refer to the
+.RI "" "local" ""
+.RI "" "id" ""
+section for details.
 
 .TP
 .BR connections.<conn>.remote<suffix>.groups " []"
@@ -725,9 +762,11 @@ uses dynamic reqids, allocated incrementally.
 
 .TP
 .BR connections.<conn>.children.<child>.mark_in " [0/0x00000000]"
-Netfilter mark and mask for input traffic. On Linux Netfilter may apply marks to
-each packet coming from a tunnel having that option set. The mark may then be
-used by Netfilter to match rules.
+Netfilter mark and mask for input traffic. On Linux Netfilter may require marks
+on each packet to match an SA having that option set. This allows Netfilter
+rules to select specific tunnels for incoming traffic. The special value
+.RI "" "%unique" ""
+sets a unique mark on each CHILD_SA instance.
 
 An additional mask may be appended to the mark, separated by _/_. The default
 mask if omitted is 0xffffffff.
@@ -736,7 +775,9 @@ mask if omitted is 0xffffffff.
 .BR connections.<conn>.children.<child>.mark_out " [0/0x00000000]"
 Netfilter mark and mask for output traffic. On Linux Netfilter may require marks
 on each packet to match a policy having that option set. This allows Netfilter
-rules to select specific tunnels for outgoing traffic.
+rules to select specific tunnels for outgoing traffic. The special value
+.RI "" "%unique" ""
+sets a unique mark on each CHILD_SA instance.
 
 An additional mask may be appended to the mark, separated by _/_. The default
 mask if omitted is 0xffffffff.
@@ -925,6 +966,23 @@ folder for which this passphrase should be used.
 Value of decryption passphrase for PKCS#8 key.
 
 .TP
+.B secrets.pkcs12<suffix>
+.br
+PKCS#12 decryption passphrase for a container in the
+.RI "" "pkcs12" ""
+folder.
+
+.TP
+.BR secrets.pkcs12<suffix>.file " []"
+File name in the
+.RI "" "pkcs12" ""
+folder for which this passphrase should be used.
+
+.TP
+.BR secrets.pkcs12<suffix>.secret " []"
+Value of decryption passphrase for PKCS#12 container.
+
+.TP
 .B pools
 .br
 Section defining named pools. Named pools may be referenced by connections with
@@ -939,9 +997,9 @@ Section defining a single pool with a unique name.
 
 .TP
 .BR pools.<name>.addrs " []"
-Subnet defining addresses allocated in pool. Accepts a single CIDR subnet
-defining the pool to allocate addresses from. Pools must be unique and
-non\-overlapping.
+Subnet or range defining addresses allocated in pool. Accepts a single CIDR
+subnet defining the pool to allocate addresses from, or an address range
+(<from>\-<to>).  Pools must be unique and non\-overlapping.
 
 .TP
 .BR pools.<name>.<attr> " []"
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index bd7e00378..cb570cd34 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -66,4 +66,9 @@
  */
 #define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8"
 
+/**
+ * Directory for PKCS#12 containers
+ */
+#define SWANCTL_PKCS12DIR SWANCTLDIR "/pkcs12"
+
 #endif /** SWANCTL_H_ @}*/
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index f1e47a9e4..b6ef17546 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -220,7 +220,9 @@ connections.<conn>.rekey_time = 4h
 	IKEv1 performs a reauthentication procedure instead.
 
 	With the default value IKE rekeying is scheduled every 4 hours, minus the
-	configured **rand_time**.
+	configured **rand_time**. If a **reauth_time** is configured, **rekey_time**
+	defaults to zero disabling rekeying; explicitly set both to enforce
+	rekeying and reauthentication.
 
 connections.<conn>.over_time = 10% of rekey_time/reauth_time
 	Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
@@ -303,6 +305,22 @@ connections.<conn>.local<suffix>.id =
 	authentication, the IKE identity must be contained in the certificate,
 	either as subject or as subjectAltName.
 
+	The identity can be an IP address, a fully-qualified domain name, an email
+	address or a Distinguished Name for which the ID type is determined
+	automatically and the string is converted to the appropriate encoding. To
+	enforce a specific identity type, a prefix may be used, followed by a colon
+	(:). If the number sign (#) follows the colon, the remaining data is
+	interpreted as hex encoding, otherwise the string is used as-is as the
+	identification data. Note that this implies that no conversion is performed
+	for non-string identities. For example, _ipv4:10.0.0.1_ does not create a
+	valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary
+	0x0a000001. Instead, one could use _ipv4:#0a000001_ to get a valid identity,
+	but just using the implicit type with automatic conversion is usually
+	simpler. The same applies to the ASN1 encoded types. The following prefixes
+	are known: _ipv4_, _ipv6_, _rfc822_, _email_, _userfqdn_, _fqdn_, _dns_,
+	_asn1dn_, _asn1gn_ and _keyid_. Custom type prefixes may be specified by
+	surrounding the numerical type value by curly brackets.
+
 connections.<conn>.local<suffix>.eap_id = id
 	Client EAP-Identity to use in EAP-Identity exchange and the EAP method.
 
@@ -335,9 +353,8 @@ connections.<conn>.remote<suffix> {}
 connections.<conn>.remote<suffix>.id = %any
 	IKE identity to expect for authentication round.
 
-	IKE identity to expect for authentication round. When using certificate
-	authentication, the IKE identity must be contained in the certificate,
-	either as subject or as subjectAltName.
+	IKE identity to expect for authentication round. Refer to the _local_ _id_
+	section for details.
 
 connections.<conn>.remote<suffix>.groups =
 	Authorization group memberships to require.
@@ -607,9 +624,10 @@ connections.<conn>.children.<child>.reqid = 0
 connections.<conn>.children.<child>.mark_in = 0/0x00000000
 	Netfilter mark and mask for input traffic.
 
-	Netfilter mark and mask for input traffic. On Linux Netfilter may apply
-	marks to each packet coming from a tunnel having that option set. The
-	mark may then be used by Netfilter to match rules.
+	Netfilter mark and mask for input traffic. On Linux Netfilter may require
+	marks on each packet to match an SA having that option set. This allows
+	Netfilter rules to select specific tunnels for incoming traffic. The
+	special value _%unique_ sets a unique mark on each CHILD_SA instance.
 
 	An additional mask may be appended to the mark, separated by _/_. The
 	default mask if omitted is 0xffffffff.
@@ -619,7 +637,8 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
 
 	Netfilter mark and mask for output traffic. On Linux Netfilter may require
 	marks on each packet to match a policy having that option set. This allows
-	Netfilter rules to select specific tunnels for outgoing traffic.
+	Netfilter rules to select specific tunnels for outgoing traffic. The
+	special value _%unique_ sets a unique mark on each CHILD_SA instance.
 
 	An additional mask may be appended to the mark, separated by _/_. The
 	default mask if omitted is 0xffffffff.
@@ -756,6 +775,15 @@ secrets.pkcs8<suffix>.file =
 secrets.pkcs8<suffix>.secret
 	Value of decryption passphrase for PKCS#8 key.
 
+secrets.pkcs12<suffix> { # }
+	PKCS#12 decryption passphrase for a container in the _pkcs12_ folder.
+
+secrets.pkcs12<suffix>.file =
+	File name in the _pkcs12_ folder for which this passphrase should be used.
+
+secrets.pkcs12<suffix>.secret
+	Value of decryption passphrase for PKCS#12 container.
+
 pools { # }
 	Section defining named pools.
 
@@ -767,11 +795,11 @@ pools.<name> { # }
 	Section defining a single pool with a unique name.
 
 pools.<name>.addrs =
-	Subnet defining addresses allocated in pool.
+	Addresses allocated in pool.
 
-	Subnet defining addresses allocated in pool. Accepts a single CIDR subnet
-	defining the pool to allocate addresses from. Pools must be unique and
-	non-overlapping.
+	Subnet or range defining addresses allocated in pool. Accepts a single CIDR
+	subnet defining the pool to allocate addresses from, or an address range
+	(<from>-<to>).  Pools must be unique and non-overlapping.
 
 pools.<name>.<attr> =
 	Comma separated list of additional attributes from type <attr>.
diff --git a/testing/Makefile.in b/testing/Makefile.in
index c151a87d3..b66c2be76 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/testing/config/kernel/config-3.18 b/testing/config/kernel/config-3.18
new file mode 100644
index 000000000..345d4f52f
--- /dev/null
+++ b/testing/config/kernel/config-3.18
@@ -0,0 +1,2165 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.18.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+# CONFIG_FHANDLE is not set
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUE_RWLOCK=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_GENEVE is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+# CONFIG_HSR is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+# CONFIG_NET_DSA_MV88E6171 is not set
+# CONFIG_NET_DSA_BCM_SF2 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_XGENE is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+# CONFIG_INT340X_THERMAL is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+
+#
+# Direct Rendering Manager
+#
+# CONFIG_DRM is not set
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_SOC_TI is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_CRYPTO_DRBG_MENU is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_AVERAGE=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
diff --git a/testing/config/kernel/config-3.19 b/testing/config/kernel/config-3.19
new file mode 100644
index 000000000..8520b3155
--- /dev/null
+++ b/testing/config/kernel/config-3.19
@@ -0,0 +1,2181 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.19.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+# CONFIG_FHANDLE is not set
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_INIT_FALLBACK=y
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUE_RWLOCK=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_UP_APIC_MSI=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_X86_INTEL_MPX is not set
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_GENEVE is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_IPVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+# CONFIG_NET_DSA_MV88E6171 is not set
+# CONFIG_NET_DSA_MV88E6352 is not set
+# CONFIG_NET_DSA_BCM_SF2 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_XGENE is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+# CONFIG_INT340X_THERMAL is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+
+#
+# Direct Rendering Manager
+#
+# CONFIG_DRM is not set
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_SOC_TI is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_CRYPTO_DRBG_MENU is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_AVERAGE=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
diff --git a/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der
diff --git a/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der
new file mode 100644
index 000000000..76cafc198
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261
deleted file mode 100644
index c98775369..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261
+++ /dev/null
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb
new file mode 100644
index 000000000..016c4125d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1
deleted file mode 100644
index 0f2a0ec8d..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1
+++ /dev/null
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a
new file mode 100644
index 000000000..1a40299f2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da
deleted file mode 100644
index 489030d9f..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da
+++ /dev/null
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488
deleted file mode 100644
index 863f65237..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488
+++ /dev/null
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f
new file mode 100644
index 000000000..49f4ad719
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d
new file mode 100644
index 000000000..267516b0c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
index bb205a0fd..2076242cc 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
@@ -1,23 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
index 5fff90708..a5b46cc6c 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNuMfyRDsc7m1KRDVt8N4h/
-EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKaub5AgsRa2fOOR9xfyf0Q
-7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsOUHOJAPZNoGPey5UL9Zjj
-sN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKDh/pliP7uZANd0ZpPcrIc
-68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeYi9wFLnS2tgV3ID4LzEEI
-CSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQABAoIBADfb0r6cpnRsnSKF
-5RBfReyu6vo4GB0lNGSeRqFRgivU+vMoiG2S58t7AQi2FyTNYbNDFdh31LS8WLbI
-OkWv2HehijN4FO4pqmI9JtSHnbLNJEHEizDBTASLz/9irisX3HCXMVORh4oEb2Ko
-QdmulOjePSJDZbLv6H/JI0bpYsgiAw26KEoB8cnHwiApF69a4uPJA6gW98nsabyq
-9NQVW5QAmUFDnzA6upFRBUeBBpufYMvP82zfntFx72yLBmXgBnyZW23WwZfQZSzw
-FChhl40mwykOE8jpeGgxmdWyPc29roF+kuvaOUaSF2nmyl4qhLCISdr0eHXHAGDH
-2RjVJ6ECgYEA0YW38d4309J1QegK5vhPWehnxpZHpK86DENevYaS7zRcCu1BRZc0
-aBAceTYCZHYofOWmeIns0qtMfzzuemPCiOZWy9VYgJrJ0YkmNin3DM1/13pWiKqn
-EkQCFa6K5AiB0umTOwJoAHlJYlJ2k4bw7Rm/LtiHC2fnRq2KJeKmg60CgYEAyP30
-5D8sUkih9rRfZRHAPo0x1qJpJQC+cFUBMIuOXFIz37TqbZcGDkRRb+ewywNxT73t
-TfVDvR7tD3cYTi78dVz539Dwl9mt10QLGsQJ4825uY/LQqUe8F2qz+E3lWqoo+yJ
-WlTAqbHI2a4g4CjFC4/+i6lKQ+NpmJLZIPz3HAUCgYEAiduy4Ti2gPAb6OZ1re05
-wM1y4q5kq04EIqd9QbS3Hx7TZPkgllpbyBC5u2M3BcTc9PjhpLQTl7XQGnQL8YmM
-KSlteKaCmfO+0NitxLut6sWX1T6Qi1HFpfYLbRqwFkQmr5CyKAR4S7+B8miRzpXe
-FhN3wKoFiRKvkMiEelL7/u0CgYEAnh4TWsBL+MuFBxTs+xDU4SCotYZ9GwwTxUFK
-N0uCiiRtBK9JwT8PF4gtXNCzZ3Jk4Ou0VSD+0jgTHJh/eXpDR30GYkn4DC3GMdQo
-vDy+3wSH+HAj4mEODuBRMUqnNJd85cB+aZ7FFnpzXLQ8zrukEC2OfYaHkxLDjrDv
-uaDoMZUCgYEAhD89Cj849LXbJEmjX0MGUCCBO9EBR2Ux2nbuB+TQnvwz7VT0Jkds
-Db1IfljoDefqzyFfH/0Z3bNg4EpidAG3BMC4MwY7WzR1rfnXwNluaWM5gmUzFNw0
-mBGXonIf6nRMIO9eeTFI8VfFb6BYvosNxz+9QA/5rpamGN1cKdMjgPc=
+MIIEpQIBAAKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPzw6tqtEkIdftEawgc5gvl
+C80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw1duoY7NE+RZwODEsWVgn
+DRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IRIcEfZeAv7URGz7xdrzmK
+/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX7mdNHnpjcwT9/ruyOaNQ
+0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0wF0Bc9lZxnv9ppYgBPsOT
+jE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQABAoIBADxEv72xBkCinBEt
+ExPeXLnb7ADwC6MZuoFbbHtsv+YWFC84YaIHhJlY8ldvUPa4y+SuFCVAZI7d76uE
+iRrYEzqKNuzWPuRcMwjI2beOmzFrlO6UePKZ3R/7EhoA6oSmX2U4Wr0R7eEKrgi8
+w9no5NIr6Ota8mQBsDDeWoGjBZReLHcagK3P+LG7B9EfMbdedd4c+sAYypmbhjvf
+pj2AE08D/eI1j9Jd0w9J4oVNel1p7iYT5wYnZzdHcJdAWHlzFrKFQVVfJBBviskX
+dm8GUOP0ZdOc0xYAyVcFAyu1x0JBkrFM5zOs6UAsRSzP5PQ/J8VFK7BQAv9/TX1D
+eZi2DwECgYEA3mPpG0VRsZXDF63KlWnCn7cl6i+CAhMxYVCVn8RwBGc7Q8Xtw+9b
+y7VktDGTcgcZIxDh/T17FBAn2ZL28tbssRxnRD+lQG1pf86RKLU+HXQ4Ppt7CbA0
+G2oV7+qxA2At3yknHmeIyvzBp+OuCc2XboOhshN5ncgMXl9EzRsCilUCgYEA2EPT
+dXf57rG4k9mcjdohIdutBB+mOXS8K9fbg+V/l+bmGxINWKxF4w2N3pulw4380TRr
+caYI7dxjpmCopnxNEhBiyOuBOEEqdGxdm69CNSO/hFDE92pQECl+6+AIa9Kv/Z3+
+Wdxwo447xgz1wDclhEcVW9rD6sAshpLQREOvIMcCgYEAjxrDmeTVWO0CCW6v+c2A
+i74TC8teYW9wSyrL3W9OlcbIACiRg4+3BjLHhpyQQMQIjOQESC0T0ilDO2KyvjlH
+PgEFAoniEL9XMAMAra1TNyjeOItcdTOJlEqDq0redUmiuwOERLBi+hwDkcGU8IH3
+fAoANtMJY1qjeubbIxDKZbECgYEAleJkMtzFBq57m1TNkO6l2d5zShFZVibWp5hC
+Fma/iJrJzec0Asna4eMp+Sdsuly05JVtBeYp+Bivo8cH++LYU3Wx0UiPVVqsvuW/
+9r9/pm6xNFX6PPOcq6bmxTmO/JOXz7FpcAQ8uM5CFSA0TlSqFsRhRDkZYaBw+4/S
+8gzq2k8CgYEAz/0eK0YPxxh4NHwXVWEsMeTDmC37BmoXU5oOmcgFHmhWXFSvvJLn
+OB5QojTUuEsU9soHqk8F5oCt8DTz/LkJt+lygcSZ+qDOLJ0c9fGxDIp0s3HxiX4G
+BwiYDDqLzFNi6TOQsk15rWWVC9W+PaxsfkrdewvW4ZT695ZWxsKAHP8=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/index.txt b/testing/hosts/winnetou/etc/openssl/duck/index.txt
index 759a85b80..70a88fcbb 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/duck/index.txt
@@ -1 +1 @@
-V	141103162335Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org
+V	190225221822Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
index 4e13b52d0..70b953e49 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
 MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1
+MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
 bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk
+Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv
+QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK
+sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh
+6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo
+6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7
+GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv
+K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
 c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq
+O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6
+tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW
+E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP
+ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN
+Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 839816bf5..f064bdb0b 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -44,4 +44,6 @@ cd /etc/openssl/rfc3779
 openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
 cp strongswan_rfc3779.crl ${ROOT}
-
+cd /etc/openssl/bliss
+pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha512 > strongswan_bliss.crl
+cp strongswan_bliss.crl ${ROOT}
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 49264a5ee..ba3349cf9 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -27,7 +27,7 @@ R	140826100818Z	140827143358Z,superseded	1A	unknown	/C=CH/O=Linux strongSwan/OU=
 R	140826103106Z	090827103405Z,keyCompromise	1B	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 R	140826103739Z	140827143427Z,superseded	1C	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
 R	140826104451Z	140827143432Z,superseded	1D	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+R	141123125153Z	141128194312Z,superseded	1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
 V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
@@ -47,3 +47,4 @@ V	190826145626Z		2E	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongsw
 R	190826150222Z	140827150343Z,keyCompromise	2F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	190826150536Z		30	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	190826151202Z		31	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+V	191127201436Z		32	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index cd5ddfd6b..b3ff1c581 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -27,7 +27,7 @@ R	140826100818Z	140827143358Z,superseded	1A	unknown	/C=CH/O=Linux strongSwan/OU=
 R	140826103106Z	090827103405Z,keyCompromise	1B	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 R	140826103739Z	140827143427Z,superseded	1C	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
 R	140826104451Z	140827143432Z,superseded	1D	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+R	141123125153Z	141128194312Z,superseded	1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
 V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
@@ -46,3 +46,4 @@ V	190826145436Z		2D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswa
 V	190826145626Z		2E	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
 R	190826150222Z	140827150343Z,keyCompromise	2F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	190826150536Z		30	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	190826151202Z		31	unknown	/C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/32.pem b/testing/hosts/winnetou/etc/openssl/newcerts/32.pem
new file mode 100644
index 000000000..f7c90d302
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/32.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIBMjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MTEyODIwMTQzNloXDTE5MTEyNzIwMTQzNlowZzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
+U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEKXgcanpPoLMCxFLx1Br
+9WYJGHxMIi6eGfHHFObA56DpDxEUfRA88wvOgcq/PxSjAJZLePO9VQLU+sdK9+u9
+7INf7AMQ7CSRfHgkjEAt2SK4iWAk01I957qdwbvTTsBvmEAiKtqpQVcKbkokx1dC
+J7prB4TjJWQlxihMAfgRQEX8EWE1c2vmzQ8fVkEc37E/kWpwDYlKtVidn+Nrt5j7
+SuE+HKZOE9zc2hRXU9IE/5hgHmPd0sIkmusTYqr+feeS3x6FfiWn/xIMlf4eTQ6F
+55EgdUsem4su0y30i369aMviOL5Rc9OAyT/eH5AU/5BBy9M/y0Sep3wgdrOLsD3h
+AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
+DPBHE7nzb272+F6creQm6ORqEkIwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
+d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
+b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
+MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBvnya63noZrXlKv5daWjqGTmpftPIvK5KA
+tyQlZn4eSY0GDK4M9HPtPmg1o+gYJnQr9STADh737clPb3P05xzc1LLBiQ+laLZ4
+8KpZ4od5QSMTPCzYgx2LQxqKQz9PjbeLP1wcMLxRsluiwPJu9KnfZBDvHsow/UU8
+SPg62z3p17SZxoCk/87Q3eyZkI7BFJJtyrq4yiRf7lFjaLyw1SnM7sjwOMzoQBVO
+bj21Spn1XQ/1X+DiCB3pFvsGEU0ZdfWKrURNeYgh+KX6S1q0mDusOwIunpR0z2Nx
+Oc8QA3YT5fse48k3sUlRuKY+YSQZqj/vG12cHjBGGQRwmpbaTBHT
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
index f84d1a877..f7c90d302 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEQzCCAyugAwIBAgIBHjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEQzCCAyugAwIBAgIBMjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MTEyNDEyNTE1M1oXDTE0MTEyMzEyNTE1M1owZzELMAkGA1UE
+b290IENBMB4XDTE0MTEyODIwMTQzNloXDTE5MTEyNzIwMTQzNlowZzELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
 U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8BT5LvsaxM0gOw9QM74ML
-vbxXXxTv9W0L//oBnPohbVyueSl0/r2rcIeYa0g1eePgwRRBHwr356Om2mv/zXTp
-lQA4qtY6YMZkoeYCOVhO/fJ4CGO213qWeWIYOe4njTuiPUiI20PWancgaic5UOAC
-UBnyes94I5kB1OWx0THma4Sv0HdBRoWwO+ZqAA87fpV/Wagi6ElJBcjLbO5Hpy3J
-dFvrjNWZwuJw2+qHQ4QOT4McpusfIjgXaZtyEpVIcbJ7knNSq+MapdP0RBS6wzXa
-kWx9tMIAB9gKUfENTNl60ZnmqI0KgKiR3Yqia/bbsD7JcangOcOjWA2H0LKnnLdp
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEKXgcanpPoLMCxFLx1Br
+9WYJGHxMIi6eGfHHFObA56DpDxEUfRA88wvOgcq/PxSjAJZLePO9VQLU+sdK9+u9
+7INf7AMQ7CSRfHgkjEAt2SK4iWAk01I957qdwbvTTsBvmEAiKtqpQVcKbkokx1dC
+J7prB4TjJWQlxihMAfgRQEX8EWE1c2vmzQ8fVkEc37E/kWpwDYlKtVidn+Nrt5j7
+SuE+HKZOE9zc2hRXU9IE/5hgHmPd0sIkmusTYqr+feeS3x6FfiWn/xIMlf4eTQ6F
+55EgdUsem4su0y30i369aMviOL5Rc9OAyT/eH5AU/5BBy9M/y0Sep3wgdrOLsD3h
 AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
-NJFukTK/NSVDzCh074LCV5J5E3MwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+DPBHE7nzb272+F6creQm6ORqEkIwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
 YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
 d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
 b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
 MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
-Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBteNdmkKbr3bUJSKTaJ/qssbyPjL7MjAmi
-QA1sSq5yIh7Ir23xEq/XQFF51N2yDNuXhLYk1fWou8BL+X9x97BlQkp9/nZ+BdJG
-uH2zOUxcsfq57jtwMzlXGrmVUTMAJRtMqrSnVa9jbW+IF2p/sJfeSRRqJ2qwQoDW
-ppvvBF4RfdWOVCCidtRmWKycEtP1ylSYyiHswVWhL2gLXQRQ0l5wJdgT2URRDopC
-CBiE5mHOWn17gTWQw9SdGbY37o9jXNrY8GRgOeubHFRmdXa1Cli5P5HhIZygUBWX
-tn5BvNDEIUz11/AT+HfpdMSKDiAXMq44wqWoYoUXsaLTIp+Vt6NM
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBvnya63noZrXlKv5daWjqGTmpftPIvK5KA
+tyQlZn4eSY0GDK4M9HPtPmg1o+gYJnQr9STADh737clPb3P05xzc1LLBiQ+laLZ4
+8KpZ4od5QSMTPCzYgx2LQxqKQz9PjbeLP1wcMLxRsluiwPJu9KnfZBDvHsow/UU8
+SPg62z3p17SZxoCk/87Q3eyZkI7BFJJtyrq4yiRf7lFjaLyw1SnM7sjwOMzoQBVO
+bj21Spn1XQ/1X+DiCB3pFvsGEU0ZdfWKrURNeYgh+KX6S1q0mDusOwIunpR0z2Nx
+Oc8QA3YT5fse48k3sUlRuKY+YSQZqj/vG12cHjBGGQRwmpbaTBHT
 -----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
index d25396b09..13a81f29d 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAvAU+S77GsTNIDsPUDO+DC728V18U7/VtC//6AZz6IW1crnkp
-dP69q3CHmGtINXnj4MEUQR8K9+ejptpr/8106ZUAOKrWOmDGZKHmAjlYTv3yeAhj
-ttd6lnliGDnuJ407oj1IiNtD1mp3IGonOVDgAlAZ8nrPeCOZAdTlsdEx5muEr9B3
-QUaFsDvmagAPO36Vf1moIuhJSQXIy2zuR6ctyXRb64zVmcLicNvqh0OEDk+DHKbr
-HyI4F2mbchKVSHGye5JzUqvjGqXT9EQUusM12pFsfbTCAAfYClHxDUzZetGZ5qiN
-CoCokd2Komv227A+yXGp4DnDo1gNh9Cyp5y3aQIDAQABAoIBACKheJrs9Z3XyzLl
-AN6tEt8LwG/7VFjqRH6MVFkNt8iGYybDrE4fSYIVRPRe9jrbS4yvI3LnK9cDdFIc
-Mv43sov/ZL4LQVAZWRFZ/Ip2U3yhK5LOQMeBotOqYdYCfYoNaml0jjKe6DzK+Uwg
-IT9eVRQ3+r99vU7sh5cdxnzdAirlXAGdy2QxdF1lyC/49H6jxS7qxuxHPqI0P8VR
-9xVKIXaAKaxcijg47slC386/yEbO96morZuJX+F+iaQ37T0nV3tTergbwDtit3xo
-cOdsHan9zGHE1ayKh8DkBinD+BpiLZdapRvcSm2wAKlamXfI3GIAB5r/3B1NW9yb
-rsThgc0CgYEA4CN+fNaFYQmLMK33wZfXvcadaktSWWXmnqPVLIWRddUH3SA5qEJB
-RwuuLgcfmlmZqBqSOj4pDTtAoNooqA9Ryi0Ugzpvmn5iPevfixQoLix4mn1/bvbF
-bo4CX7Vb7mUdfXpu7PwVNALNfaW6fgKM79LoqX4yZ4k/yFuYl+JTIGcCgYEA1r9k
-mTi/5royyVX0vV7uwyKrXQ8VRVhnVeT2nG1KkuQqUraUQG8WD9J9uxvbZxhsrax1
-Hg1iCAobzlEL2XoX2y+dN+81o2tm9qcy3L7+g6M/+7nQmU+fbGdBkcWq72dZC4ev
-K6grD+gl0uQmdVc7m+3lErojNAlvxTSK1BKrR68CgYA2CxjijO8YGK8BC9FjUnNo
-hM1L5eFzQMi8k5BA7evG15jPzodYdLE8qipTWtBZ7STJja6YcIiBcjoBDtkivJ7h
-+sCpa5uhSrvxZkA+Tpvpljt2NLBXVxT/tSoJXbdO4f6cVLsOVTHfmpVlqGIxI/hL
-kzUaOR16LXO9oahHZwDYHQKBgHPg60PS35p9NxJ1k47sPyKE/rtEfFHjFj+/QWO/
-hdIl1MC1TOJIDzuSdc4Vhhrnjx1YRgplZlS4P7DhAufjfiQEWW3pYqRAPFs0dbmw
-Rl56JPiMmAdic8BnJ3all0uAFQinutpv8Gyw9FgMTMRcwgmuIUIttvlJbkqXw6IU
-QOB5AoGBAJkTG5alPABxJG9ZuEE+iWCPAV1671FXT115D5wlKOY3CImuhsEW085X
-uGZz7WDZWFZJres8RiRlpK035MAg6lUG3trC9+wOluRNehT6h0Vwru8TxjLBxPcc
-yjdSVDH61FQLSKWIGLH9VVLX03NXqi3qxVGrrulUSW5h/HR2s3f7
+MIIEowIBAAKCAQEAnBCl4HGp6T6CzAsRS8dQa/VmCRh8TCIunhnxxxTmwOeg6Q8R
+FH0QPPMLzoHKvz8UowCWS3jzvVUC1PrHSvfrveyDX+wDEOwkkXx4JIxALdkiuIlg
+JNNSPee6ncG7007Ab5hAIiraqUFXCm5KJMdXQie6aweE4yVkJcYoTAH4EUBF/BFh
+NXNr5s0PH1ZBHN+xP5FqcA2JSrVYnZ/ja7eY+0rhPhymThPc3NoUV1PSBP+YYB5j
+3dLCJJrrE2Kq/n3nkt8ehX4lp/8SDJX+Hk0OheeRIHVLHpuLLtMt9It+vWjL4ji+
+UXPTgMk/3h+QFP+QQcvTP8tEnqd8IHazi7A94QIDAQABAoIBAEP6NGZY3AuOgOZj
+g7sgK/V6RGF92tZGpUuUPW3bus8XlU0ulN/5wZLqwp/GhQtcbJ67aLujCXfUiZE/
+UoNjDboCRQ8I/CTo1tzP/Hze4i2WQLtkiw4/RblVMEH62tclnEh/Zp/7TpcesM0I
+UR9H/MgCCf8InWdbKA4UDAVfbjAEws/72QSMnhhsdUfNMKKFiaaDz596MXpI3AWY
+SsenVmcqhMTP819DEem7GTSyOZbx482i7tr1Ix/HB/WlXoTZLB4IFsUOjbtQkoym
+fJHftuCsuN6xg6xUq28zaWqcZzDje7pavqmexXfxvG7a8jXFGY/sagWIHSIp32la
+0WoUO2ECgYEAy0pG09+zY5pHsHoNrSEsN3wIXOv4EIwwEuk4ZTqBPyh/lbHozHDp
+JlO+ObJVzRG/NS4RnlJUicmAUtI7CSpdvTD1OclROBF3DPwiu18zEJTqXkGDcVyt
+bmy8JQDZPYt4mE/TsuRN3uoc9+2jc1ZL6zvS3u6s0EV5j4SYxrn/oQ0CgYEAxIe5
+uBvR+wRXeWddRbIAKxQJa1PR4WDbIQWGm8TlXpcBWsyaqId3AIg9IoQH9AtFvl5F
++6QHjhl5jNK/PkzNM/xAMbS4X4S32zDVUtmJXheyze65lQvXVfUFQUCyb5DeBtvk
+XOf6k5WfM8rAzCb4PNwp+U21vQW7dfOSWp1yEyUCgYEAv3QHeljOYHqXE4wPP0Lj
+mqmUUrbk2+i7CcRdGXDc8jdY2QlBfvDDkxYBK+NZTRVup03ox9svxMhhsx5M/RfK
+SnhGKxL/C7ffD/qRVzeUJwSoKPa4LNYke7+p/YtsDLtCauebL3o2ID8J4zEJ44Cd
+ZT/lG5FabZdQoao2G8pmBi0CgYBrdG5mLMflwJz3Yz3LUqTm6OCxjzXtTeDiMDxG
+RSTIUDZMaByT0uWNI/CRQ7F5jQRILxGColADMQiVp9ErBiEYsG6E/vPkPhOsxAmP
+cCO8j6aTFFjiFoRZmkuSPwaRG5taErbM2YXXVfKjBdPei9wkophMmGGrBUxXFKNL
+6lQqBQKBgFeDuiesvRr+3KUxO6FiRXdGzkhFpfVaSxnFpvyd03vByTsuI5AugjHt
+UPHkOxnrXYg2bZwHSy5fvhUs18FdcucfJnsVl+/Clhl5jkeQzSOszoPx8lvhcck5
+uzlqo+L2XXWN3MaiBHvboA/duTiSQAvcPaEi8gpprxvLHojz/P9R
 -----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 0565c768e..25f57370c 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -2,8 +2,9 @@ R	100322070423Z	100407091025Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=
 R	100615195710Z	100703145747Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 R	120323210330Z	140324140605Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
 R	140323203747Z	140324142334Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
-V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
+R	151103161503Z	141128215838Z,superseded	05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
 V	150406092057Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	150702151839Z		07	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	190323140633Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
 V	190323142352Z		09	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
+V	190401220708Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 8a0231b05..3fc101e9e 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -2,7 +2,8 @@ R	100322070423Z	100407091025Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=
 R	100615195710Z	100703145747Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 R	120323210330Z	140324140605Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
 R	140323203747Z	140324142334Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
-V	151103161503Z		05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
+R	151103161503Z	141128215838Z,superseded	05	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
 V	150406092057Z		06	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	150702151839Z		07	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	190323140633Z		08	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+V	190323142352Z		09	unknown	/C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem
new file mode 100644
index 000000000..2076242cc
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index d9bb888f8..eb589e9da 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-0A
+0B
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 86397e5c1..d9bb888f8 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-09
+0A
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
index 20107f5f6..b41b2202b 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
index 9adf263bf..bfafdee5d 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
@@ -1,4 +1,8 @@
-V	141222133356Z		01	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
-V	141222133521Z		02	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
-V	141222133612Z		03	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
-V	141222133736Z		04	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+R	141222133356Z	141227062317Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+R	141222133521Z	141227062321Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+R	141222133612Z	141227062326Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R	141222133736Z	141227062335Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+V	191221064542Z		05	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+V	191221064900Z		06	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+V	191221085130Z		07	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+V	191221085457Z		08	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
index be48eeee4..56242a38b 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
@@ -1,3 +1,7 @@
-V	141222133356Z		01	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
-V	141222133521Z		02	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
-V	141222133612Z		03	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R	141222133356Z	141227062317Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+R	141222133521Z	141227062321Z,superseded	02	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+R	141222133612Z	141227062326Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R	141222133736Z	141227062335Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+V	191221064542Z		05	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+V	191221064900Z		06	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+V	191221085130Z		07	unknown	/C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem
new file mode 100644
index 000000000..124e2ae46
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
+MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
+bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem
new file mode 100644
index 000000000..a93121da1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
+RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem
new file mode 100644
index 000000000..bf8a4919d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5
+MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3
+YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ
+u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu
+a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr
+xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ
+Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj
+FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2
+g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3
+0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw
+MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA
+ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0
+atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl
+mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT
+FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/
+6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0
+9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem
new file mode 100644
index 000000000..88ce01ed5
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5
+MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO
+8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+
+OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz
+eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4
+WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn
+RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m
+mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u
+Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw
+FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg
+MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4
+TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t
+U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU
+IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe
+5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2
+jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
index 9ec4b01a8..e8a0a2ee7 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -40,7 +40,7 @@ x509_extensions = host_ext		  # The extensions to add to the cert
 
 crl_extensions	= crl_ext  		  # The extensions to add to the CRL
 
-default_days    = 1825                    # how long to certify for
+default_days    = 1820                    # how long to certify for
 default_crl_days= 30			  # how long before next CRL
 default_md      = sha256                  # which md to use.
 preserve        = no                      # keep passed DN ordering
@@ -153,6 +153,13 @@ sbgp-ipAddrBlock = critical, @host-addr-section
 
 [host-addr-section]
 
+#moon networks
+#IPv4.0 = 192.168.0.1
+#IPv4.1 = 10.1.0.0/16
+#IPv6.0 = fec0::1
+#IPv6.1 = fec1::/16
+
+#sun networks
 IPv4.0 = 192.168.0.2
 IPv4.1 = 10.2.0.0/16
 IPv6.0 = fec0::2
@@ -176,6 +183,12 @@ sbgp-ipAddrBlock = critical, @user-addr-section
 
 [user-addr-section]
 
+#carol networks
+#IPv4.0 = 192.168.0.100
+#IPv4.1 = 10.3.0.1
+#IPv6.0 = fec0::10
+
+#dave networks
 IPv4.0 = 192.168.0.200
 IPv4.1 = 10.3.0.2
 IPv6.0 = fec0::20
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial b/testing/hosts/winnetou/etc/openssl/rfc3779/serial
index eeee65ec4..86397e5c1 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/serial
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial
@@ -1 +1 @@
-05
+09
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
index 64969239d..adb9de8ee 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
@@ -1 +1 @@
-04
+08
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index f5c89552b..bb95160cb 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-32
+33
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index e85087aff..f5c89552b 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-31
+32
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index 075fd8e1e..c927934f1 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -21,7 +21,7 @@ INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen
 INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
 INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip
 INC=$INC,python,python-setuptools,python-dev,python-pip
-INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi
+INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
 SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
 INC=$INC,${SERVICES// /,}
 
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 2b7bde5a5..d58de95bf 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -70,6 +70,8 @@ CONFIG_OPTS = \
 	--enable-socket-dynamic \
 	--enable-dhcp \
 	--enable-farp \
+	--enable-connmark \
+	--enable-forecast \
 	--enable-addrblock \
 	--enable-ctr \
 	--enable-ccm \
@@ -92,7 +94,8 @@ CONFIG_OPTS = \
 	--enable-tkm \
 	--enable-ntru \
 	--enable-lookip \
-	--enable-swanctl
+	--enable-swanctl \
+	--enable-bliss
 
 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
 
diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt
index 4c64fff97..2d04e74f2 100644
--- a/testing/tests/ha/both-active/description.txt
+++ b/testing/tests/ha/both-active/description.txt
@@ -4,5 +4,5 @@ to the virtual gateway <b>mars</b> implemented by the two real gateways
 based on <b>ClusterIP</b>. Depending on the hash of the IP addresses of the peers
 and the SPIs, the inbound and outbound CHILD_SAs are either assigned to
 segment 1 managed by <b>alice</b> or segment 2 handled by <b>moon</b>.
-The IKEv2 protocol is managed by <b>moon</b> exclusively with passive
-IKE_SAs installed on the backup gateway <b>alice</b>.
+The IKEv2 protocol is managed by <b>alice</b> exclusively with passive
+IKE_SAs installed on the backup gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
index 52c561964..8f5ffdb50 100644
--- a/testing/tests/ikev1/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -1,7 +1,7 @@
 alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
 alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
index 9ddad2de5..5f0622690 100644
--- a/testing/tests/ikev1/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
@@ -1,7 +1,7 @@
 alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat
index 387dbae23..36d9f8456 100644
--- a/testing/tests/ikev1/nat-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-rw/evaltest.dat
@@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.
 venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
 sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
 sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon:: sleep 6::no output expected::NO
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
index aab1df687..b8b1fdd09 100755
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
 # NAT updown script
 #
 # Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
@@ -13,7 +13,6 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-# things that this script gets (from ipsec_pluto(8) man page)
 #
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
@@ -32,15 +31,20 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
 #
 #       PLUTO_ME
 #              is the IP address of our host.
@@ -54,25 +58,21 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -80,31 +80,38 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
 #
 
 # define a minimum PATH environment in case it is not set
@@ -129,22 +136,22 @@ up-client:)
 	# If you are doing a custom version, firewall commands go here.
 	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
 	    -d $PLUTO_PEER_CLIENT -j ACCEPT
-        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-            -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+	    -s $PLUTO_PEER_CLIENT -j ACCEPT
 	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
 	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
-	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
+	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
 	;;
 down-client:)
 	# connection to my client subnet going down
 	# If you are doing a custom version, firewall commands go here.
-        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-            -d $PLUTO_PEER_CLIENT -j ACCEPT
-        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-            -s $PLUTO_PEER_CLIENT -j ACCEPT
-         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
-        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
+	iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+	    -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+	echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
 	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
 	exit 1
diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
index 842eda00b..2dd5a40dd 100644
--- a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
+++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
 sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
-moon::cat /var/log/daemon.log::splitting IKE message with length of 1468 bytes into 2 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message with length of 1388 bytes into 2 fragments::YES
+moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
+sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
 moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
 moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
 sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..4d99866f7
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..d8fad9aad
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
index 52c561964..8f5ffdb50 100644
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -1,7 +1,7 @@
 alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
 alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
index 9ddad2de5..5f0622690 100644
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -1,7 +1,7 @@
 alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
 bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/forecast/description.txt b/testing/tests/ikev2/forecast/description.txt
new file mode 100644
index 000000000..db67b9c3d
--- /dev/null
+++ b/testing/tests/ikev2/forecast/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to
+gateway <b>moon</b> and request a <b>virtual IP</b>. <b>moon</b> negotiates
+broadcast and multicast traffic selectors with the clients, and uses
+<i>%unique</i> marks to avoid any policy conflicts. The enabled <i>forecast</i>
+plugin on <b>moon</b> installs the required Netfilter rules to make use of these
+policies, and additionally starts forwarding broadcast and multicast packets
+between the clients.<br/>
+To test forwarding, the hosts send multicast and broadcast ping messages.
diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2/forecast/evaltest.dat
new file mode 100644
index 000000000..6babe57f0
--- /dev/null
+++ b/testing/tests/ikev2/forecast/evaltest.dat
@@ -0,0 +1,20 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 1::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 2::YES
+alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null
+carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null
+dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null
+carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+moon::iptables -t mangle -L -n -v
+carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..4cd628384
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftsubnet=0.0.0.0/0
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=0.0.0.0/0
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7b81476e9
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..e2255d96b
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftsubnet=0.0.0.0/0
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=0.0.0.0/0
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..7b81476e9
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..fde2e9103
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16,224.0.0.0/4
+	right=%any
+	rightid=*@strongswan.org
+	rightsourceip=10.1.0.128/26
+	rightsubnet=%dynamic,224.0.0.0/4,10.1.255.255
+	mark=%unique
+	auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..986ef32de
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr forecast
+  syslog {
+    daemon {
+      net = 2
+    }
+  }
+  plugins {
+    forecast {
+      interface = eth1
+      reinject = rw
+    }
+  }
+}
diff --git a/testing/tests/ikev2/forecast/posttest.dat b/testing/tests/ikev2/forecast/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/forecast/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat
new file mode 100644
index 000000000..206bf5b64
--- /dev/null
+++ b/testing/tests/ikev2/forecast/pretest.dat
@@ -0,0 +1,7 @@
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/forecast/test.conf b/testing/tests/ikev2/forecast/test.conf
new file mode 100644
index 000000000..13b3927ae
--- /dev/null
+++ b/testing/tests/ikev2/forecast/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/host2host-transport-connmark/description.txt b/testing/tests/ikev2/host2host-transport-connmark/description.txt
new file mode 100644
index 000000000..6660279c9
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/description.txt
@@ -0,0 +1,8 @@
+An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b>
+and gateway <b>sun</b> is successfully set up. The client <b>venus</b> behind
+the same NAT as client <b>alice</b> also establishes the same <b>transport-mode</b>
+connection. <b>sun</b> uses the connmark plugin and a <b>%unique</b> mark on
+the CHILD_SAs to select the correct return path SA using connection tracking.
+This allows <b>sun</b> to talk to both nodes for client initiated flows, even
+if the SAs are actually both over <b>moon</b>.<br/>
+To test the connection, both hosts establish an SSH connection to <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
new file mode 100644
index 000000000..04a35c10c
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
@@ -0,0 +1,7 @@
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES
+venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES
+sun::iptables -t mangle -L -n -v
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..9000ebcfe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..220059c43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=192.168.0.2
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+
+conn nat-t
+	right=%any
+	type=transport
+	mark=%unique
+	auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..1311e5b27
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default connmark
+}
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..cea239abe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn nat-t
+	leftcert=venusCert.pem
+	leftid=venus@strongswan.org
+	right=192.168.0.2
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
new file mode 100644
index 000000000..144be6c90
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
@@ -0,0 +1,5 @@
+alice::ipsec stop
+venus::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
new file mode 100644
index 000000000..ab6408427
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
+moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
+moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16  -j ACCEPT
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/ikev2/host2host-transport-connmark/test.conf b/testing/tests/ikev2/host2host-transport-connmark/test.conf
new file mode 100644
index 000000000..8c2facefd
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun alice venus moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt
index 6f18a88cd..fc7186c53 100644
--- a/testing/tests/ikev2/host2host-transport-nat/description.txt
+++ b/testing/tests/ikev2/host2host-transport-nat/description.txt
@@ -9,5 +9,6 @@ rules that let pass the decrypted IP packets. In order to test the host-to-host
 dropped when the IPsec policies are consulted (increases the <em>XfrmInTmplMismatch</em> counter
 in <em>/proc/net/xfrm_stat</em>).</li>
 <li>A similar issue arises when <b>venus</b> also establishes an IPsec <b>transport-mode</b> connection to
-<b>sun</b>, due to the conflicting IPsec policies <b>sun</b> declines such a connection.</li>
+<b>sun</b>. Due to the conflicting IPsec policies <b>sun</b> will use the newer SA from
+<b>venus</b> to send traffic to the common transport mode address.</li>
 </ol>
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
index faa9fb265..0ec50bc92 100644
--- a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
@@ -1,12 +1,9 @@
 alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
 sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
-alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
-venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
-venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES
-sun::cat /var/log/daemon.log::unable to install policy::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
 sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO
diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
index fe0f17d3d..2d2607078 100644
--- a/testing/tests/ikev2/host2host-transport-nat/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
@@ -10,3 +10,4 @@ sun::ipsec start
 alice::expect-connection nat-t
 venus::expect-connection nat-t
 alice::ipsec up nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 65a003d23..8457ae0dd 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -1,6 +1,6 @@
 moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
-moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
 moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
@@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
-dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES
+dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
 moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 4e13b52d0..70b953e49 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
 MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1
+MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
 bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk
+Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv
+QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK
+sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh
+6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo
+6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7
+GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv
+K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
 c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq
+O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6
+tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW
+E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP
+ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN
+Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 48727ed9d..ce60672bc 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
-Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
-w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
-rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
-UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
-aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
-33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
-ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
-zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
-DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
-QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
-5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
-44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
-Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
-2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
-PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
-LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
-Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
-VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
-Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
-6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
-Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
-Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
-Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
-QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
+MIIEpAIBAAKCAQEAzQWx53y0ZC78YfVe8fzaErOamr6a/BedS52KSH6aYDLwQ46X
+XkpwTzjj2pD5X1ISkr1yHrBEr0CNRyTpRn7bMC/QOQdZU57B+ubKqYKoI+u4K4d/
+OlNzvWXHBYVI/A8Ok1KP6nuKSrFg8FF/yxt5ozsf6zhr1/Fsb2VOyVV14VOIPE6S
+FdyUU0PpRfNs96qEunQH0beMYeqci7jGG7ulLV+QJdIiQ76bFq/WWyiNn/A4ZK9L
+GRUR5exrOY0zdUWtRBdIwoyM6OgJJGPiEwbLL1bzBaXjf429GYby3ERVOepby5Jq
+4/yJylLJPajZvNPv8BQVMyeTexns15gSD8F3ZQIDAQABAoIBABliJR6V7/efYZv3
+NyQavB0oo3GZO7MOcWkVPjOviQl0BQ84LkF8Ud9dGcjLvjQxAx+r2N83z6krAtLW
+HROfTR/wK4WEBWk29KlNvbWy+YJJAupQwk3EW0YNvdBPKjQa4SEYTb0oQnzw7SGT
+1ZCd/DdbcJ48xA1eVKCOGG0Q6aFV702mUszjZfrnyqr+zxx8ZE+YhKSXB0eGjv2+
++kiJMf25ZpgP5Pu5AAX0/KRN9E5orbr5pdFTBgOIJ6Sdsnr/q/tJaU/bPVJEtFvd
+BqSVtz87ftTdZVH5zMBkXPVwlWczQiK5J6igrMBcrHhnKUmt54kh9bEUmt2ZrBOx
+xmEV/wECgYEA+a+LjA3lZgk5Qy4qKvXe4EHvRSK513ZxN8gBvj4wA7JmEGv76gMw
+5o1DbpNOqumeyjrtsqVzjAu3GpowX4dfHRal9CZ57dtedjWlHPnnDtSMKzmJXiJb
+HzYPngpjxfAjrZNIBlQZeAhtYCQUDM/SSitcnP1gp3DEdVyxFNafmuECgYEA0jUA
+F0hSddYBo4tG84gnHQ6L0ftqn3K0UD9EcFAG2Zxv7dqSGdmCq6wo/q1UeKDVLjCX
+OteuqzDG+ka6DmbcLwj9VRMQP9lqUbtGOzwyWxYdcMUZnMtWHpuvcsyHLrAKqTxJ
+0Be7hlXCbSrh62CBpAgv91NMghZup3Tpku8qkQUCgYEAyWNp7uEWciJmaWVG5bfC
+uKb10pGby8ngr9lGbqfCGnk+EWjHm4xPWOX/yaRPA1PDm+HD7x+7/u1EFtTex25s
+rQ2jdTXDirIxkq7aKnD2iOOu2v5haefUD2yPVC2VJAX5APuWUGRs1oAVmEIBWgQV
+3XT0EjvcRbGTBAZrXh9uRIECgYEAzBclZXWUilAj+zOoyZ4xy6Zp3pAqL3Fg3GDx
+A9LPM80NZ3RFUc+7bQ6UJuEHGK+fC1+mFT1/mzqaljjBQGZh9VDXFhiSOEvRTFV1
+lOGXSpSoNOtJONC7ZrBloiIuRggp8bJVQDMqoPz27qMqAiwK8sX4PDumFs/M081R
+UpXfUDkCgYAOa/VoXgDlFMun1qEu6LFZcLhA6SyHRT0yT9WSYkHjcQusvJAZEM67
+lfUd1J57tG6+HS7z0wBkO72HG0YZDD8dhgzsYGChUHD+yq+OZ2FHnZWRSnnHq4zD
+ZBjS8PGcVu/4Ojx6B8GI41UgmdqH+US+AA6nYceb74NeIigXjtXUdA==
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
index bb205a0fd..2076242cc 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
@@ -1,23 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
 BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
index bb8e856cc..c5390fbb6 100644
--- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
@@ -1,7 +1,7 @@
 alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
 venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
 sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
 sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
index 421335ffb..e0c15f56a 100755
--- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
 # updown script setting inbound marks on ESP traffic in the mangle chain
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,20 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
 #
 #       PLUTO_ME
 #              is the IP address of our host.
@@ -63,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -93,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -143,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -157,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -193,119 +166,45 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	parms1="$PLUTO_PEER_CLIENT"
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
-	if [ -n "$PLUTO_NEXT_HOP" ]
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	if [ -n "$ICMP_TYPE_OPTION" ]
 	then
-	    parms2="via $PLUTO_NEXT_HOP"
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
 	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
 	fi
-	if test " $oops" != " " -o " $st" != " 0"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	if [ -n "$ICMP_TYPE_OPTION" ]
 	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
 	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 fi
 
 # is there an inbound mark to be set?
@@ -313,82 +212,18 @@ if [ -n "$PLUTO_MARK_IN" ]
 then
 	if [ -n "$PLUTO_UDP_ENC" ]
 	then
-	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+		SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
 	else
-		SET_MARK="-p esp"
+		SET_MARK="-p $PLUTO_PROTO"
 	fi
 	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
 fi
 
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -403,6 +238,14 @@ up-host:)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -430,6 +273,13 @@ down-host:)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -472,6 +322,15 @@ up-client:)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -518,6 +377,13 @@ down-client:)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
index 6ec29c779..86fc1975e 100644
--- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -1,6 +1,6 @@
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
 sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
 sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat
index 387dbae23..36d9f8456 100644
--- a/testing/tests/ikev2/nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.
 venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
 sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
 sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon:: sleep 6::no output expected::NO
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
index aab1df687..1afd70df8 100755
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
 # NAT updown script
 #
 # Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
@@ -13,8 +13,6 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -32,15 +30,20 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
 #
 #       PLUTO_ME
 #              is the IP address of our host.
@@ -54,25 +57,21 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -80,31 +79,38 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
 #
 
 # define a minimum PATH environment in case it is not set
@@ -129,22 +135,22 @@ up-client:)
 	# If you are doing a custom version, firewall commands go here.
 	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
 	    -d $PLUTO_PEER_CLIENT -j ACCEPT
-        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-            -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+	    -s $PLUTO_PEER_CLIENT -j ACCEPT
 	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
 	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
-	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
+	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
 	;;
 down-client:)
 	# connection to my client subnet going down
 	# If you are doing a custom version, firewall commands go here.
-        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-            -d $PLUTO_PEER_CLIENT -j ACCEPT
-        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
-            -s $PLUTO_PEER_CLIENT -j ACCEPT
-         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
-        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
+	iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+	    -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+	echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
 	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
 	exit 1
diff --git a/testing/tests/ikev2/net2net-cert-sha2/description.txt b/testing/tests/ikev2/net2net-cert-sha2/description.txt
new file mode 100644
index 000000000..c659b4c47
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> using SHA-2 to create signatures
+as enabled by the IKEv2 Signature Authentication extension described in <b>RFC 7427</b>.
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
new file mode 100644
index 000000000..65737ba1f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
@@ -0,0 +1,9 @@
+moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5af6d2bbc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftauth=rsa-sha384
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2127105da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..3c3d1e51d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+    keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftauth=rsa-sha512
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2127105da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
new file mode 100644
index 000000000..81a98fa41
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/test.conf b/testing/tests/ikev2/net2net-cert-sha2/test.conf
index 646b8b3e6..afa2accbe 100755..100644
--- a/testing/tests/swanctl/net2net-cert-ipv6/test.conf
+++ b/testing/tests/ikev2/net2net-cert-sha2/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
- 
+
 # Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index a26295090..6e5c24063 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -3,4 +3,5 @@
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
+  signature_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index a26295090..6e5c24063 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -3,4 +3,5 @@
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
+  signature_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
index 7f227fd62..c7437c8bb 100644
--- a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
+++ b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::IKE_SA_INIT request 0.*FRAG_SUP::YES
 sun::cat /var/log/daemon.log::IKE_SA_INIT response 0.*FRAG_SUP::YES
-moon::cat /var/log/daemon.log::splitting IKE message with length of 1804 bytes into 2 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message with length of 1596 bytes into 2 fragments::YES
+moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
+sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
 moon::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
 moon::cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
 sun::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
 -----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
 Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
 owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
 d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
 Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
 MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
 bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
index 9ccd47a2c..a93121da1 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -1,28 +1,28 @@
 -----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
-MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
 Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
-CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
-XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
-k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
-VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
-Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
-6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
 Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
 IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
 YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
 d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
 dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
 RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
-AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
-mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
-C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
-4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
-TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
-Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
-dXN+1axy9zQ34g==
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
index 6e047af69..55f5f8037 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
-K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
-SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
-NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
-IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
-RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
-K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
-nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
-feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
-/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
-K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
-UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
-T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
-7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
-t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
-cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
-WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
-qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
-U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
-6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
-ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
-b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
-TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
-h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
-FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS
+dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV
+eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835
+dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid
+gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah
+tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn
+d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB
+J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3
+6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD
+cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0
+SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB
+BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG
+KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2
+iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg
+zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0
+7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE
+ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4
+Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0
+lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU
+7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7
+yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT
+1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX
+uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ
+dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+
+QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A==
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index bdba3fb05..e9ab41c7f 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
 # updown script setting inbound marks on ESP traffic in the mangle chain
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,20 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
 #
 #       PLUTO_ME
 #              is the IP address of our host.
@@ -63,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -93,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -186,7 +169,6 @@ fi
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
 up-client:)
 	# connection to my client subnet coming up
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt
new file mode 100644
index 000000000..dfec6a3b6
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt
@@ -0,0 +1,8 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option for
+clients using an assigned virtual IP. The initiator <b>carol</b> reauthenticates
+the IKE_SA with host <b>moon</b> using <b>ikelifetime=10s</b>, but does not
+close the old IKE_SA before the replacement CHILD_SA using the same virtual IP
+is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..509457418
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6447b1cca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	keylife=20m
+	ikelifetime=10s
+	rekeymargin=5s
+	rekeyfuzz=0%
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsourceip=%config
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+  make_before_break = yes
+}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..121ea7eab
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=30m
+	keylife=20m
+	rekeymargin=0s
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightsourceip=10.3.0.0/24
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-mbb/description.txt b/testing/tests/ikev2/reauth-mbb/description.txt
new file mode 100644
index 000000000..ab92d7df8
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/description.txt
@@ -0,0 +1,7 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
+<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
+CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2/reauth-mbb/evaltest.dat
new file mode 100644
index 000000000..509457418
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f46405a47
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	keylife=20m
+	ikelifetime=10s
+	rekeymargin=5s
+	rekeyfuzz=0%
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+  make_before_break = yes
+}
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2f4557447
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=30m
+	keylife=20m
+	rekeymargin=0s
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index d59eef513..20f1f132c 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 0ea4e21ab..77e306bf9 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
index 6a20b8e8c..e09765fb6 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
index 1460ec8f9..10ce861b1 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
@@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswa
 moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
 dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
index aa6d4291b..47a4977a2 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
@@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongsw
 moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
 dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
index 42d2c319e..5853deb26 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -1,6 +1,6 @@
 carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
 carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 8f813395a..109407b96 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
index 881971e80..87c37f3a3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index a8019b3e7..49045c9ef 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index 84f41fd93..88ab87d29 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index 010f48315..892fdd6ef 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
index 95c29b7f5..d3d97dc38 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index f1a68bc19..0dfc89e07 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 21cfe429a..a514f48b7 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index ab27b4510..f33e7bc36 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
index 7584e14dc..75349b031 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
index a471a2cfa..f250c0cb3 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 421335ffb..b8b45e3b0 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
 # updown script setting inbound marks on ESP traffic in the mangle chain
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,20 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
 #
 #       PLUTO_ME
 #              is the IP address of our host.
@@ -63,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -93,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -143,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -157,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -193,119 +166,45 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	parms1="$PLUTO_PEER_CLIENT"
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
-	if [ -n "$PLUTO_NEXT_HOP" ]
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	if [ -n "$ICMP_TYPE_OPTION" ]
 	then
-	    parms2="via $PLUTO_NEXT_HOP"
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
 	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
 	fi
-	if test " $oops" != " " -o " $st" != " 0"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	if [ -n "$ICMP_TYPE_OPTION" ]
 	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
 	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 fi
 
 # is there an inbound mark to be set?
@@ -320,75 +219,11 @@ then
 	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
 fi
 
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -403,6 +238,14 @@ up-host:)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -430,6 +273,13 @@ down-host:)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -472,6 +322,15 @@ up-client:)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -518,6 +377,13 @@ down-client:)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
diff --git a/testing/tests/ikev2/rw-ntru-bliss/description.txt b/testing/tests/ikev2/rw-ntru-bliss/description.txt
new file mode 100644
index 000000000..b81fdb7cf
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
+192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on the BLISS
+algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
+<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
+<p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order. 
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
new file mode 100644
index 000000000..5a88b6641
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA256 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA384 successful::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f13e47a71
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ntru128!
+	esp=aes128-sha256!
+	authby=pubkey
+	fragmentation=yes
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.der
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
new file mode 100644
index 000000000..491e245dd
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
new file mode 100644
index 000000000..b2831a8ed
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..c2225646d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS carolKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+  fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..5f605a43d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha384-ntru192!
+	esp=aes192-sha384!
+	authby=pubkey
+	fragmentation=yes
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.der
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
new file mode 100644
index 000000000..83a213710
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
new file mode 100644
index 000000000..0ec528ddf
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..fe2643204
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS daveKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+  fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2a9b33aae
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
+	esp=aes128-sha256,aes192-sha384!
+	authby=pubkey
+	fragmentation=yes
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.der
+	leftauth=bliss-sha512
+	leftid=moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsourceip=10.3.0.0/28
+	auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
new file mode 100644
index 000000000..1ab7d21f7
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
new file mode 100644
index 000000000..c989f91e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..b4a9ee68d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS moonKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
+  fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
new file mode 100644
index 000000000..9ba8c5f55
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
@@ -0,0 +1,9 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
new file mode 100644
index 000000000..24249435e
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-ntru-bliss/test.conf b/testing/tests/ikev2/rw-ntru-bliss/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index ab398a3bb..55b295781 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pr
 moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
 moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
 moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 1648c9557..1206ea4b7 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -1,6 +1,6 @@
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
index ccbc769e2..b192f788f 100644
--- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
index 438e1c14c..6ebb7c356 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2/rw-sig-auth/description.txt
new file mode 100644
index 000000000..569d7e054
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. They authenticate themselves using <b>RSA signatures</b> but
+they use different hash algorithms. <b>moon</b> uses signature scheme constraints
+to only allow access to the <b>research</b> and <b>accounting</b> subnets if
+specific algorithms are used. <b>Note:</b> Because the client certificate's are signed
+with SHA-256 we have to accept that algorithm too because signature schemes in
+<b>rightauth</b> are also used as constraints for the whole certificate chain.
+Therefore, <b>carol</b> obtains access to the <b>research</b> subnet behind gateway
+<b>moon</b> whereas <b>dave</b> has access to the <b>accounting</b> subnet, but not
+vice-versa.
diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
new file mode 100644
index 000000000..261475f56
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA384 successful::YES
+moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
+dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..b1aa2d99a
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftcert=carolCert.pem
+	leftauth=pubkey-sha384
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..eef3e2622
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftcert=daveCert.pem
+	leftauth=pubkey-sha512
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..9f9051eeb
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn research
+	rightauth=pubkey-sha384-sha256
+	leftsubnet=10.1.0.0/28
+	also=rw
+	auto=add
+
+conn accounting
+	rightauth=pubkey-sha512-sha256
+	leftsubnet=10.1.0.16/28
+	also=rw
+	auto=add
+
+conn rw
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2/rw-sig-auth/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat
new file mode 100644
index 000000000..bec31cc68
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up alice
+dave::ipsec up venus
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2/rw-sig-auth/test.conf
new file mode 100644
index 000000000..b9e97e43b
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=""
+
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index 9418d6ee1..3522c3d79 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -1,6 +1,6 @@
 moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
 moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
 -----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
 Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
 owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
 d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
 Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
 MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
 bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
 -----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
index 9ccd47a2c..a93121da1 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -1,28 +1,28 @@
 -----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
-MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
 Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
-CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
-XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
-k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
-VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
-Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
-6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
 Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
 IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
 YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
 d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
 dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
 RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
-AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
-mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
-C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
-4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
-TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
-Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
-dXN+1axy9zQ34g==
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
index 6e047af69..55f5f8037 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
-K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
-SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
-NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
-IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
-RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
-K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
-nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
-feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
-/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
-K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
-UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
-T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
-7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
-t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
-cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
-WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
-qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
-U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
-6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
-ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
-b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
-TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
-h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
-FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS
+dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV
+eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835
+dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid
+gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah
+tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn
+d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB
+J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3
+6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD
+cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0
+SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB
+BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG
+KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2
+iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg
+zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0
+7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE
+ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4
+Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0
+lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU
+7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7
+yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT
+1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX
+uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ
+dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+
+QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A==
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 3243bc294..bf8a4919d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIEojCCA4qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzYxMloXDTE0
-MTIyMjEzMzYxMlowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5
+MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
 Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3
-YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArD8OrNy0w+T2
-cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTrz4FskqN39sFxDFDSre1bps+F7jW/
-zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeBNBk4b6VAIKPaYmO3UIoZZ4SPnnVZ
-P7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWYPDOkTS+1sbRQHkgdZvw4fYno+Rd+
-hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8T2zI0aI6L8g57j4cX1XYQwM3tkHM
-2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9A0gqmbnF9//wvSmwpDpSkDoHZ5O3
-Ur6HZ8mByQIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFL9rU6QFDLvUOEIFNZROVYWN5v++MIGMBgNVHSMEgYQwgYGAFCF/p+s3
+YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ
+u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu
+a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr
+xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ
+Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj
+FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2
+g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3
 0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
 dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
 U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
 b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz
 d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw
 MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA
-ABAwDQYJKoZIhvcNAQELBQADggEBAHhgG8qqLZX3uXDVX9uBZM8jErI78pyL9F8q
-ibTW5UPp+rbbMDY7tphBbFkg5Q0pzJhOzB6I6Oy/QWVVEC20DE7lhOpMu7auS3Gn
-z1t6DCIDR9NYXtKs6UXcMA0PSQ1r7iHQWvtZ0uD998k6UQfZCCOwBbonng2DAp/m
-FKkaCYiZmJw2YBwf+oVNLQp2fHI61uoguiiRQ4AV5Htho0z6MDqpMyrg2F7Uf2cq
-kQY/ZyvMe8VG5KuiaMJPIMdJPnRED2R4qiyHe8eDXgGYHsNhkt7VHRRgo3izqIdG
-1oCv+CHQ2XSK+4dA42U0Vw7V/ExmcLy99bZfCEZwNWG6Y/5Qwww=
+ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0
+atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl
+mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT
+FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/
+6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0
+9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 275162721..a75622149 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArD8OrNy0w+T2cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTr
-z4FskqN39sFxDFDSre1bps+F7jW/zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeB
-NBk4b6VAIKPaYmO3UIoZZ4SPnnVZP7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWY
-PDOkTS+1sbRQHkgdZvw4fYno+Rd+hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8
-T2zI0aI6L8g57j4cX1XYQwM3tkHM2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9
-A0gqmbnF9//wvSmwpDpSkDoHZ5O3Ur6HZ8mByQIDAQABAoIBAQCSb+WlFtpjtPPF
-JUwxVzqz4Cx510gwkU+GzUemDGdvfZhsWjNEri7FGE70LQ9UPh5vGd2SmtmtZGrW
-J4wjWus6LFYuCa1sl4BlzfFLTjqF8XLUm0twJITzfhVf6o3OmiIOSepBNNT5DaE7
-4R8NgxRU8bG5cnuEWF9VklBl8tR04/VHIfTHltt1p69aQ6UoECBLd+/8RBIj+L/P
-TzXbgLJn7dT8DrOA9rv1p0G1reADwvclKfag4S/xyC54anRsmMNWQLE0D+QzKL29
-nXqU1wjIHBtgY7uM0svtyrMXiNi0XEBWqDdOMwCZ66TU6eGIzDDevG+q8PXmuW6v
-NGxoipcRAoGBANJy4uNj2SnMTdIyoe0wFjmjntKb7DX2Ie0aZr3kygQ7VJUH6w7Z
-mZXNhRf8CpaD20lnyqRjhgq1gwOrLZWpAajNPJ6uCHUVSI8+qwdMVdPSZyxRlal9
-gshsGofkiqEGa/5BW4+yDgi1C4BV+lmN8jn4ilKe4JvFGuz+F31ntDXlAoGBANGH
-WKCq4u9MCxM2R2ESKkLM+vlTxRB4meMt6iPn9e0yJ1BVXTILRp7hfUwKc4ivI/SO
-rc4UA3I5i6QR7TVPOVreqw/CDEmjQLhTSOWY3lHbNz1q53p8Yh6JdytaA4YYgm+I
-pFL+Hh/UpPEAY1ZzsSP7KhBd7ViKblz7/Act614VAoGAXTkFJqNpZGmbI3zIXBBM
-GBZR2Yu2dCTm3GgwkPfTQVKi4i2Sw45Cyagzx+8fJZOdRQQUMQPhMcc8FRjz5XLr
-SEI6EzSWjH70GHgzPNVkw6NVjr1JJb5ye6PfkMj9W91DY2rCS4IdU2AXiy8K6jbF
-0UY2x+iXKImEpuzbrPKOUr0CgYB1lHdGyj7JPKomYNpTfecbT34zdi/rG1J4Kybu
-eVgHgJKRQSYoVC2QMUen6WGGPYp2za55K7/3VJWpP6oWtVuhQ71I/YL5u9Qw3APX
-XB6+Xr80Bw7ZLH2/VzL5r+y0ToK75jkYnaP4BtN8rtQQCqJIZ8TmJF9xxVVDduCq
-grlHNQKBgF06eOplOy8W7euuhvEfoxv05ZVjcFv3bFzlYPb0fBfq4Ziw97SzidH9
-Wbq3gujut9gJCKZT6BJfZtqrPeVhWp+S2SD3bDCsjNZLRBEdzdyRB5CpmDE5OQBH
-EtzpR4nQa/2RJ7wRP/306PE1sQPtTpNvGIgBIUxWvt5gzyVhO1sG
+MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1
+XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++
+e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie
+SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP
+uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN
+8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL
+KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG
+nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo
+U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg
+qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6
+MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO
+zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU
+0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb
+/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8
+5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl
+lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58
+gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w
+ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB
+Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi
+jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4
+OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s
+zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy
+R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn
+oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv
+XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA==
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index dffbc67e9..88ce01ed5 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIEoDCCA4igAwIBAgIBBDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzczNloXDTE0
-MTIyMjEzMzczNlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5
+MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
 Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPLwvUPUNIZnbX
-eyz8U0COp5RM7ZLFT2iJmSGxznZ30phUNHSy3WX9V8h2kQ2fBks2x0KYWEg8Lh2y
-ggZipePRpuHRnZlcll5/HY/YOUgdV2GE6euNiWKcDB6uE51sxZ+on5KasI9EJMdp
-hJpytYUFjx6pExsoqWMQLigrT6A4bYogkweOZHiUyHiqgtUQcHnmmKwxgeUAkZCb
-00dk7CYnXNQZ1uHj/08TDwrS37SGXfWEIcBGEx/awqlF+s2HTI6zw7NC2HhQsiSp
-Yo1nz8TBr/8XnO9KyYUg04TMkcQqBFDt/qiUswLRLapn9HSyd43BxaF+YuvJ1+ip
-M4G05K1nAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQUJ/+79KP+Ea9vdAIMkUYx++cu6R0wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO
+8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+
+OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz
+eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4
+WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn
+RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m
+mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
 owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
 d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u
 Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
 bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw
 FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg
-MA0GCSqGSIb3DQEBCwUAA4IBAQBlOlqceKqgr0putV9fUf2vekg5QtZGDtHFUOTH
-0gDIe2DJ60bWY5IXpjj2KtzRdoP448fpPaprrh8VEljWoVvAF8LaePKGggqwcG+D
-Z7ioDYlnV1j+/NnbZGM/hPqa841dh5jesTuTAF2giMod6P6eMiiRcnl9X3ltgSWp
-Ahk5C8CNYw+sISJcCHtFQHdKOM4QN7wAWksvpjMWkSDQgf/rnDUgW8DXAwX/9K4V
-G2etJ6/8drpjB115p6h+GYz8xFG28/MSf9BqNX03dBs5oyko2+FgSrb3ACK+pAO4
-Cpi2NKZfUH+M7Loo4baI+f5iavpDjDfar8KTiV610DAp0W2S
+MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4
+TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t
+U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU
+IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe
+5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2
+jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3
 -----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
index e79cbdd9f..f72970c4d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAzy8L1D1DSGZ213ss/FNAjqeUTO2SxU9oiZkhsc52d9KYVDR0
-st1l/VfIdpENnwZLNsdCmFhIPC4dsoIGYqXj0abh0Z2ZXJZefx2P2DlIHVdhhOnr
-jYlinAwerhOdbMWfqJ+SmrCPRCTHaYSacrWFBY8eqRMbKKljEC4oK0+gOG2KIJMH
-jmR4lMh4qoLVEHB55pisMYHlAJGQm9NHZOwmJ1zUGdbh4/9PEw8K0t+0hl31hCHA
-RhMf2sKpRfrNh0yOs8OzQth4ULIkqWKNZ8/Ewa//F5zvSsmFINOEzJHEKgRQ7f6o
-lLMC0S2qZ/R0sneNwcWhfmLrydfoqTOBtOStZwIDAQABAoIBAQCW49qnnl6MMiPH
-V6wxsKhJvP6i8Dt+fBDUdbQ2fPmG1teeK/357ojC89XJlGbpNHo+0OxNa65gNe3m
-/g+MdOjw3auFMFRrPBBiX7NNdJpy1Brv5DVrhW1N3P3TJfH3MA7RjjYFdyVAKdEZ
-pjud41mX7N4VoRacjJDbTeJveLRlowB2gPcxhNZlF6gPP1ZaHwR/b1+0qOTcsxj3
-hqC7zdmMM8UGQ38S3ba7dldlCVAvJgylRX+LPTx5x32wMntaSmBy0cdRqfHtznij
-MZQnJiUuAvlQyjCbt0j7jycBZrMfgS+hESHaUG7wdJUraL40hlX2L4RfIyMtriwB
-9Xe5fVABAoGBAP3Bphf6k/QxbCrVyyw3Q13MMug63bj3mqhjwOJUoEu+3O4+5Qcw
-bIKEOxDFy82lwVHEnYU2tyxVcLBoXP0kMVkrWQIuDSPrneSQxIO1npBZTvBIvWSr
-Yh3kJa15zlF4JxljwXfjLskInRlL45gBiG8FbSuDtXTxPJBtlrIHE0lnAoGBANED
-/Ct5cocPPTYDGq7FxkGEOFoZM1OTsnL68NmcOhp69uWOAgNCIZEifYBz/SSx1ISJ
-QjDdie3BQ0zp2CZe5Fujtz0oT4VPsrJUcND6fZnG79aA2P2S4tXOdVbElB4fOWuT
-Sd1WOmgOFAn+B907PsP2BEh2BPO2/eqy3hN38PwBAoGAZzAJ9JJG+/PlAn4xwmcu
-k8Pnp5vYcdDuKS93ThIPpP2WJaOZypSca26N/kIQoC2ZMUD8tSEM15Be5L1rotzG
-3HXOGh7T5Rl4+WsNHmoKcrR+byOFMJyop3MRBzwS8/oiHCb+k1vkuIcyKwk7IaLt
-8geI3zsN3OIEOM73iqlp5F0CgYBbSWFGX4l8oVQ7lcl+kZRQIv41o5H+K6ChhSXR
-9OCPlirlAUuxvp1IdQbZJk9mSmCl7gjBrNBDzcel/O/RelpEB9HM3SE1+SPzrNuE
-+hIHKpKvXaDnxtJZTQ2EcuC58ysx56c4CyQBNDzeTFuE7Q4xqe4e86SgCMkHS02g
-tR7EAQKBgQCRoTsOFcCK2jXBhfcuwcrnrTJmf6LFxW08Mfl9qxKUjz20bx6jgv7f
-TrRUHavmVrrGkAc6eTtoa+2cC5ffSBWHeCD48omb+DZGPF54UbEYyRUb5umKbfI3
-M3WiHTTpeTOx2MmPwiAHhPuaWMV9jWkRG01+wIX4HybGYeEAVHE9lg==
+MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx
+EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR
+cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8
+74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D
+M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G
+pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq
+1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa
+7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ
+iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt
+su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ
+AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm
+B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE
+kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC
+XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1
+VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z
+/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU
+CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf
+552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG
+XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi
+o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ
+NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2
+u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d
+xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC
+dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE
+DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w==
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
 -----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
 Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
 owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
 d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
 Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
 MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
 bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
 -----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
index aea6d8555..7c510261d 100755
--- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -445,6 +285,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -484,6 +331,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -527,6 +383,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -543,16 +406,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
index aea6d8555..7c510261d 100755
--- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -445,6 +285,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -484,6 +331,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -527,6 +383,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -543,16 +406,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -445,6 +285,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -484,6 +331,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -527,6 +383,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -543,16 +406,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -445,6 +285,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -484,6 +331,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -527,6 +383,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -543,16 +406,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -445,6 +285,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -484,6 +331,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -527,6 +383,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -543,16 +406,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -445,6 +285,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -484,6 +331,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -527,6 +383,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -543,16 +406,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
index d59ea3c34..3a9493ba3 100644
--- a/testing/tests/libipsec/rw-suite-b/evaltest.dat
+++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat
@@ -1,8 +1,8 @@
 carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES 
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
 moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
 	# connection to me going down
 	# If you are doing a custom version, firewall commands go here.
 	PLUTO_INTERFACE=ipsec0
- 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
 	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
 	# connection to my client subnet coming up
 	# If you are doing a custom version, firewall commands go here.
 	PLUTO_INTERFACE=ipsec0
-        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-        then
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
 	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 		-s $PLUTO_MY_CLIENT $S_MY_PORT \
 		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
 	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
 	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 		-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -486,6 +326,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -525,6 +372,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -568,6 +424,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -584,16 +447,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
 	# connection to me going down
 	# If you are doing a custom version, firewall commands go here.
 	PLUTO_INTERFACE=ipsec0
- 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
 	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
 	# connection to my client subnet coming up
 	# If you are doing a custom version, firewall commands go here.
 	PLUTO_INTERFACE=ipsec0
-        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-        then
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
 	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 		-s $PLUTO_MY_CLIENT $S_MY_PORT \
 		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
 	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
 	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 		-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -486,6 +326,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -525,6 +372,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -568,6 +424,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -584,16 +447,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
 # that, and use the (left/right)updown parameters in ipsec.conf to make
 # strongSwan use yours instead of this default one.
 
-# things that this script gets (from ipsec_pluto(8) man page)
-#
 #      PLUTO_VERSION
 #              indicates  what  version of this interface is being
 #              used.  This document describes version  1.1.   This
@@ -41,15 +39,17 @@
 #              is the name of the  connection  for  which  we  are
 #              routing.
 #
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
 #       PLUTO_INTERFACE
 #              is the name of the ipsec interface to be used.
 #
 #       PLUTO_REQID
-#              is the requid of the ESP policy
+#              is the requid of the AH|ESP policy
+#
+#       PLUTO_PROTO
+#              is the negotiated IPsec protocol, ah|esp
+#
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
 #
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
 #              host's own IP address / max (where max  is  32  for
 #              IPv4 and 128 for IPv6).
 #
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
 #       PLUTO_MY_SOURCEIP
 #       PLUTO_MY_SOURCEIP4_$i
 #       PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
 #
 #       PLUTO_MY_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
+#              restricted on our side.  For ICMP/ICMPv6 this contains the
+#              message type, and PLUTO_PEER_PORT the message code.
 #
 #       PLUTO_PEER
 #              is the IP address of our peer.
@@ -96,31 +88,19 @@
 #       PLUTO_PEER_ID
 #              is the ID of our peer.
 #
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
 #       PLUTO_PEER_CLIENT
 #              is the IP address / count of the peer's client sub-
 #              net.   If the client is just the peer, this will be
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
 #       PLUTO_PEER_PORT
 #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
+#              restricted on the peer side.  For ICMP/ICMPv6 this contains the
+#              message code, and PLUTO_MY_PORT the message type.
 #
 #       PLUTO_XAUTH_ID
 #              is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
 export PATH
 
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
 VPN_LOGGING=1
 #
 # tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
 #
 # local0.notice                   -/var/log/vpn
 
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
 # check interface version
 case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+1.[0|1])	# Older release?!?  Play it safe, script may be using new features.
 	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
+	echo "$0: 	called by obsolete release?" >&2
 	exit 2
 	;;
 1.*)	;;
@@ -196,190 +166,52 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)	# ICMP
+	ICMP_TYPE_OPTION="--icmp-type"
+	;;
+58)	# ICMPv6
+	ICMP_TYPE_OPTION="--icmpv6-type"
+	;;
+*)
+	;;
+esac
 
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+		D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+	else
+		S_MY_PORT="--sport $PLUTO_MY_PORT"
+		D_MY_PORT="--dport $PLUTO_MY_PORT"
+	fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	if [ -n "$ICMP_TYPE_OPTION" ]
+	then
+		# the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+		S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+		D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+	else
+		S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+		D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+	fi
 fi
 
 # resolve octal escape sequences
 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
 
-# the big choice
 case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
 	# connection to me going down
 	# If you are doing a custom version, firewall commands go here.
 	PLUTO_INTERFACE=ipsec0
- 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
 	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
 	# connection to my client subnet coming up
 	# If you are doing a custom version, firewall commands go here.
 	PLUTO_INTERFACE=ipsec0
-        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-        then
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
 	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 		-s $PLUTO_MY_CLIENT $S_MY_PORT \
 		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
 	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
 	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 		-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -486,6 +326,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -525,6 +372,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -568,6 +424,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -584,16 +447,6 @@ down-client:iptables)
 #
 # IPv6
 #
-prepare-host-v6:*|prepare-client-v6:*)
-	;;
-route-host-v6:*|route-client-v6:*)
-	# connection to me or my client subnet being routed
-	#uproute_v6
-	;;
-unroute-host-v6:*|unroute-client-v6:*)
-	# connection to me or my client subnet being unrouted
-	#downroute_v6
-	;;
 up-host-v6:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..4d99866f7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..d8fad9aad
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 0110bb996..55ac10935 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -6,9 +6,9 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
 moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
 dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 4a5e52dbd..d94b17950 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -2,4 +2,5 @@
 
 charon {
   load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  signature_authentication = no
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 8a4215dcc..2d7324a9a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -2,10 +2,10 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
index 7169a091d..a0831f746 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
@@ -1,7 +1,7 @@
 dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
 carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
 moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
index 57cbee1d4..200ec3cfb 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
@@ -1,7 +1,7 @@
 dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
 carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
 moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-384 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index e1d33feb7..73173f06b 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
index 1648c9557..1206ea4b7 100644
--- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
@@ -1,6 +1,6 @@
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/description.txt b/testing/tests/swanctl/net2net-cert-ipv6/description.txt
deleted file mode 100755
index 5952ecc2d..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
-It connects the two subnets hiding behind their respective gateways. The authentication is based on
-X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
-In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b>
-sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command.
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat b/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat
deleted file mode 100755
index cdbecd553..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf
deleted file mode 100755
index bd131af39..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
-}
-
-charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici 
-
-  fragment_size = 1400
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100755
index 16e145cd7..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-connections {
-
-   gw-gw {
-      local_addrs  = fec0::1
-      remote_addrs = fec0::2 
-
-      local {
-         auth = pubkey
-         certs = moonCert.pem
-         id = moon.strongswan.org
-      }
-      remote {
-         auth = pubkey
-         id = sun.strongswan.org 
-      }
-      children {
-         net-net {
-            local_ts  = fec1::0/16 
-            remote_ts = fec2::0/16 
-
-            start_action = none
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
-         }
-      }
-
-      version = 2
-      mobike = no
-      fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
-   }
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf
deleted file mode 100755
index bd131af39..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
-  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
-}
-
-charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici 
-
-  fragment_size = 1400
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf
deleted file mode 100755
index 90aa137f0..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-connections {
-
-   gw-gw {
-      local_addrs  = fec0::2
-      remote_addrs = fec0::1 
-
-      local {
-         auth = pubkey
-         certs = sunCert.pem
-         id = sun.strongswan.org
-      }
-      remote {
-         auth = pubkey
-         id = moon.strongswan.org 
-      }
-      children {
-         net-net {
-            local_ts  = fec2::0/16 
-            remote_ts = fec1::0/16 
-
-            start_action = none
-            updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
-         }
-      }
-
-      version = 2
-      mobike = no
-      fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
-   }
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat b/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat
deleted file mode 100755
index a40a7dd2f..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::service charon stop 2> /dev/null
-sun::service charon stop 2> /dev/null
-alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2"
-sun::"ip route del fec1:\:/16 via fec0:\:1"
-bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::ip6tables-restore < /etc/ip6tables.flush
-sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat b/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat
deleted file mode 100755
index 36e8e1999..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon::iptables-restore < /etc/iptables.drop
-sun::iptables-restore < /etc/iptables.drop
-moon::ip6tables-restore < /etc/ip6tables.rules
-sun::ip6tables-restore < /etc/ip6tables.rules
-alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2"
-sun::"ip route add fec1:\:/16 via fec0:\:1"
-bob::"ip route add fec1:\:/16 via fec2:\:1"
-moon::service charon start 2> /dev/null
-sun::service charon start 2> /dev/null
-moon::sleep 1
-moon::swanctl --load-conns 2> /dev/null
-sun::swanctl --load-conns 2> /dev/null
-moon::swanctl --load-creds 2> /dev/null
-sun::swanctl --load-creds 2> /dev/null
-moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat
index d8d44dff6..de50ab32b 100644
--- a/testing/tests/tkm/host2host-initiator/evaltest.dat
+++ b/testing/tests/tkm/host2host-initiator/evaltest.dat
@@ -10,3 +10,7 @@ moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
 moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
 moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
 moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
+moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
index 7c8c6b24a..f5143f19a 100644
--- a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
+++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
@@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
 moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
 moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
 moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat
index 8e0042102..1f0c88b53 100644
--- a/testing/tests/tkm/multiple-clients/evaltest.dat
+++ b/testing/tests/tkm/multiple-clients/evaltest.dat
@@ -15,8 +15,7 @@ dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
 sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
 sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
 sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
-sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
-sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES
+sun::cat /tmp/tkm.log | grep "Checked CA certificate of CC context 1" | wc -l::2::YES
 sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
 sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
 sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
index a38dba0ee..98eff247f 100644
--- a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
+++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
@@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
 moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
 moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
 moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
diff --git a/testing/tests/tkm/xfrmproxy-expire/description.txt b/testing/tests/tkm/xfrmproxy-expire/description.txt
new file mode 100644
index 000000000..9578cd8f3
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/description.txt
@@ -0,0 +1,6 @@
+A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up.
+The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM
+proxy, which relays XFRM kernel messages to charon. The authentication is based
+on X.509 certificates. The connection is initiated by a ping from <b>moon</b>
+to <b>sun</b>. The test asserts that XFRM expire messages from the kernel are
+handled correctly.
diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
new file mode 100644
index 000000000..96b486a07
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
@@ -0,0 +1,22 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
+moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES
+moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
+moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
+moon::cat /tmp/tkm.log | grep 'Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
+moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA expire (reqid 1, proto 50, SPI.*, hard FALSE)::YES
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+}
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..d3748930a
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..23e958ab0
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>2</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e52a04f42
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/xfrmproxy-expire/posttest.dat b/testing/tests/tkm/xfrmproxy-expire/posttest.dat
new file mode 100644
index 000000000..99efe7b00
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/posttest.dat
@@ -0,0 +1,5 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall xfrm_proxy
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/xfrmproxy-expire/pretest.dat b/testing/tests/tkm/xfrmproxy-expire/pretest.dat
new file mode 100644
index 000000000..d645ddbfe
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection host-host
+moon::ping -c 3 192.168.0.2
diff --git a/testing/tests/tkm/xfrmproxy-expire/test.conf b/testing/tests/tkm/xfrmproxy-expire/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index d93407434..b9eee4f57 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
index e22b767f7..224807860 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index e22b767f7..224807860 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-init/description.txt b/testing/tests/tnc/tnccs-20-fail-init/description.txt
new file mode 100644
index 000000000..91fbbaad9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>carol</b> sends her first PB-TNC batch with a wrong version number and
+<b>dave</b> sends a PB-TNC message not supported by <b>moon</b> with the NOSKIP flag set.
+Therefore both connection setups fail due to fatal PB-TNC errors.
diff --git a/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
new file mode 100644
index 000000000..4cbf60ff7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
@@ -0,0 +1,10 @@
+moon:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+carol::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+carol::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::reject PB-TNC message (0x00902a/0x00000000)::YES
+dave:: cat /var/log/daemon.log::received fatal PB-TNC error.*Unsupported Mandatory Message::YES
+dave::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fcd224651
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+  multiple_authentication = no
+
+  plugins {
+    tnccs-20 {
+      tests {
+        pb_tnc_version = 3
+      }
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..504408488
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..76f413722
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+  multiple_authentication = no
+
+  plugins {
+    tnc-imc {
+      preferred_language = ru, pl  , de
+    }
+    tnccs-20 {
+      tests {
+        pb_tnc_noskip = yes 
+      }
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9c13fcb67
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+  multiple_authentication = no
+
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-test {
+      rounds = 1
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
new file mode 100644
index 000000000..38c651328
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf
new file mode 100644
index 000000000..3c8e3996f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/description.txt b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
new file mode 100644
index 000000000..0aa07193c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
@@ -0,0 +1,9 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the client doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>moon</b> sends his first PB-TNC batch with a wrong version number .
+Therefore the connection setup fails due to a fatal PB-TNC error.
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
new file mode 100644
index 000000000..df4bdc857
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
@@ -0,0 +1,5 @@
+carol:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+moon::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+moon::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ed6d6f718
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+  multiple_authentication = no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..626731f58
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+  multiple_authentication = no
+
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    tnccs-20 {
+      tests {
+        pb_tnc_version = 3
+      }
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-test {
+      rounds = 1
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
new file mode 100644
index 000000000..80ce1a125
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
@@ -0,0 +1,4 @@
+carol::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
new file mode 100644
index 000000000..6947c4bdf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
new file mode 100644
index 000000000..e8430743e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
new file mode 100644
index 000000000..6c79b8c49
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
@@ -0,0 +1,3 @@
+The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements over IKEv2-EAP
+using the PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on
+X.509 certificates.
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
new file mode 100644
index 000000000..0ef7b5d7d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
@@ -0,0 +1,11 @@
+moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
+sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..47a0283dc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 2, imc 2, imv 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=moon.strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=sun.strongswan.org
+	rightsendcert=never
+	rightauth=any
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..953e7fcea
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+
+  multiple_authentication = no
+  plugins {
+    eap-ttls {
+      phase2_tnc =yes
+    }
+    tnccs-20 {
+      mutual = yes
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+    imv-test {
+      rounds = 1
+    }   
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint 
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..c20bce930
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 2, imc 2, imv 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightauth=eap-ttls
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..570126a0e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+
+  multiple_authentication = no
+  plugins {
+    eap-ttls {
+      request_peer_auth = yes
+      phase2_piggyback = yes
+      phase2_tnc =yes
+    }
+    tnccs-20 {
+      mutual = yes
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow 
+    }
+    imv-test {
+      rounds = 1 
+    }   
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint 
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
new file mode 100644
index 000000000..3bce9f6e5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up host-host
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
new file mode 100644
index 000000000..55d6e9fd6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
new file mode 100644
index 000000000..09ab8e9f1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
@@ -0,0 +1,3 @@
+The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements using the
+PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on
+X.509 certificates.
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat
new file mode 100644
index 000000000..eb996192d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::PT-TLS authentication complete::YES
+sun:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+moon::cat /var/log/auth.log::activating mutual PB-TNC half duplex protocol::YES
+sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+moon::cat /var/log/auth.log::PB-TNC access recommendation is.*Access Allowed::YES
+sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..98c415edb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+/* configuration is read from /etc/pts/options  */
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
new file mode 100644
index 000000000..79ae1e866
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
@@ -0,0 +1,8 @@
+--connect sun.strongswan.org
+--client moon.strongswan.org
+--key /etc/ipsec.d/private/moonKey.pem
+--cert /etc/ipsec.d/certs/moonCert.pem
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--mutual
+--quiet
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fafdac4aa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pt-tls-client {
+  load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20 
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+    imv-test {
+      rounds = 1
+    }   
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint 
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..ba629a24f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 2, imc 2, imv 2"
+
+conn pdp 
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..05ffdb178
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 
+
+  plugins {
+    tnc-pdp {
+      server = sun.strongswan.org
+      radius {
+        enable = no
+      }
+    }
+    tnccs-20 {
+      mutual = yes
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow 
+    }
+    imv-test {
+      rounds = 1 
+    }   
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint 
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
new file mode 100644
index 000000000..e6ccb14fe
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
@@ -0,0 +1 @@
+sun::ipsec stop
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
new file mode 100644
index 000000000..fab55d11a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
@@ -0,0 +1,4 @@
+sun::ipsec start
+moon::cat /etc/pts/options
+moon::sleep 1
+moon::ipsec pt-tls-client --optionsfrom /etc/pts/options 
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
new file mode 100644
index 000000000..55d6e9fd6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
index a86fcff61..f744453e6 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
@@ -1,10 +1,10 @@
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
 dave:: cat /var/log/daemon.log::collected ... SWID tags::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
 carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES
 carol::cat /var/log/daemon.log::collected 1 SWID tag::YES