13 files changed, 411 insertions, 203 deletions

diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
index 74379f1d5..41f5ae937 100644
--- a/src/libipsec/Makefile.am
+++ b/src/libipsec/Makefile.am
@@ -13,11 +13,15 @@ ipsec_processor.c ipsec_processor.h \
 ipsec_sa.c ipsec_sa.h \
 ipsec_sa_mgr.c ipsec_sa_mgr.h
 
-libipsec_la_LIBADD =
+libipsec_la_LIBADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
+AM_LDFLAGS = \
+	-no-undefined
+
 EXTRA_DIST = Android.mk
 
 # build optional plugins
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 3dbf34ed2..cf44fc6f8 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -1,9 +1,8 @@
-# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-# Foundation, Inc.
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,23 +15,51 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__make_dryrun = \
-  { \
-    am__dry=no; \
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
     case $$MAKEFLAGS in \
       *\\[\ \	]*) \
-        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
-          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
-      *) \
-        for am__flg in $$MAKEFLAGS; do \
-          case $$am__flg in \
-            *=*|--*) ;; \
-            *n*) am__dry=yes; break;; \
-          esac; \
-        done;; \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
     esac; \
-    test $$am__dry = yes; \
-  }
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -52,13 +79,15 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libipsec
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
 	$(top_srcdir)/m4/config/ltsugar.m4 \
 	$(top_srcdir)/m4/config/ltversion.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
@@ -98,7 +127,8 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
-libipsec_la_DEPENDENCIES =
+libipsec_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_libipsec_la_OBJECTS = ipsec.lo esp_context.lo esp_packet.lo \
 	ip_packet.lo ipsec_event_relay.lo ipsec_policy.lo \
 	ipsec_policy_mgr.lo ipsec_processor.lo ipsec_sa.lo \
@@ -107,6 +137,19 @@ libipsec_la_OBJECTS = $(am_libipsec_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
+am__v_lt_1 = 
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -119,29 +162,26 @@ LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(AM_CFLAGS) $(CFLAGS)
 AM_V_CC = $(am__v_CC_@AM_V@)
 am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC    " $@;
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
 CCLD = $(CC)
 LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(AM_LDFLAGS) $(LDFLAGS) -o $@
 AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD  " $@;
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN   " $@;
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
 SOURCES = $(libipsec_la_SOURCES)
 DIST_SOURCES = $(libipsec_la_SOURCES)
-RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
-	html-recursive info-recursive install-data-recursive \
-	install-dvi-recursive install-exec-recursive \
-	install-html-recursive install-info-recursive \
-	install-pdf-recursive install-ps-recursive install-recursive \
-	installcheck-recursive installdirs-recursive pdf-recursive \
-	ps-recursive uninstall-recursive
+RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
+	ctags-recursive dvi-recursive html-recursive info-recursive \
+	install-data-recursive install-dvi-recursive \
+	install-exec-recursive install-html-recursive \
+	install-info-recursive install-pdf-recursive \
+	install-ps-recursive install-recursive installcheck-recursive \
+	installdirs-recursive pdf-recursive ps-recursive \
+	tags-recursive uninstall-recursive
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -149,9 +189,29 @@ am__can_run_installinfo = \
   esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
-AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
-	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+am__recursive_targets = \
+  $(RECURSIVE_TARGETS) \
+  $(RECURSIVE_CLEAN_TARGETS) \
+  $(am__extra_recursive_targets)
+AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
 	distdir
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = .
@@ -254,6 +314,10 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
@@ -370,6 +434,7 @@ starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
@@ -391,10 +456,15 @@ ipsec_processor.c ipsec_processor.h \
 ipsec_sa.c ipsec_sa.h \
 ipsec_sa_mgr.c ipsec_sa_mgr.h
 
-libipsec_la_LIBADD = 
+libipsec_la_LIBADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
+AM_LDFLAGS = \
+	-no-undefined
+
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = .
 
@@ -435,6 +505,7 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
@@ -461,12 +532,15 @@ uninstall-ipseclibLTLIBRARIES:
 
 clean-ipseclibLTLIBRARIES:
 	-test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES)
-	@list='$(ipseclib_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
+	@list='$(ipseclib_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
 libipsec.la: $(libipsec_la_OBJECTS) $(libipsec_la_DEPENDENCIES) $(EXTRA_libipsec_la_DEPENDENCIES) 
 	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libipsec_la_OBJECTS) $(libipsec_la_LIBADD) $(LIBS)
 
@@ -488,22 +562,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_sa_mgr.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
@@ -515,22 +592,25 @@ clean-libtool:
 	-rm -rf .libs _libs
 
 # This directory's subdirectories are mostly independent; you can cd
-# into them and run `make' without going through this Makefile.
-# To change the values of `make' variables: instead of editing Makefiles,
-# (1) if the variable is set in `config.status', edit `config.status'
-#     (which will cause the Makefiles to be regenerated when you run `make');
-# (2) otherwise, pass the desired values on the `make' command line.
-$(RECURSIVE_TARGETS):
-	@fail= failcom='exit 1'; \
-	for f in x $$MAKEFLAGS; do \
-	  case $$f in \
-	    *=* | --[!k]*);; \
-	    *k*) failcom='fail=yes';; \
-	  esac; \
-	done; \
+# into them and run 'make' without going through this Makefile.
+# To change the values of 'make' variables: instead of editing Makefiles,
+# (1) if the variable is set in 'config.status', edit 'config.status'
+#     (which will cause the Makefiles to be regenerated when you run 'make');
+# (2) otherwise, pass the desired values on the 'make' command line.
+$(am__recursive_targets):
+	@fail=; \
+	if $(am__make_keepgoing); then \
+	  failcom='fail=yes'; \
+	else \
+	  failcom='exit 1'; \
+	fi; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	for subdir in $$list; do \
 	  echo "Making $$target in $$subdir"; \
 	  if test "$$subdir" = "."; then \
 	    dot_seen=yes; \
@@ -545,57 +625,12 @@ $(RECURSIVE_TARGETS):
 	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
 	fi; test -z "$$fail"
 
-$(RECURSIVE_CLEAN_TARGETS):
-	@fail= failcom='exit 1'; \
-	for f in x $$MAKEFLAGS; do \
-	  case $$f in \
-	    *=* | --[!k]*);; \
-	    *k*) failcom='fail=yes';; \
-	  esac; \
-	done; \
-	dot_seen=no; \
-	case "$@" in \
-	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
-	  *) list='$(SUBDIRS)' ;; \
-	esac; \
-	rev=''; for subdir in $$list; do \
-	  if test "$$subdir" = "."; then :; else \
-	    rev="$$subdir $$rev"; \
-	  fi; \
-	done; \
-	rev="$$rev ."; \
-	target=`echo $@ | sed s/-recursive//`; \
-	for subdir in $$rev; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done && test -z "$$fail"
-tags-recursive:
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
-	done
-ctags-recursive:
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
-	done
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-recursive
+TAGS: tags
 
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
 	set x; \
 	here=`pwd`; \
 	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
@@ -611,12 +646,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	$(am__define_uniq_tagged_files); \
 	shift; \
 	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
@@ -628,15 +658,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	      $$unique; \
 	  fi; \
 	fi
-ctags: CTAGS
-CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+ctags: ctags-recursive
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
 	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
 	     $$unique
@@ -645,6 +671,21 @@ GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
 	  && $(am__cd) $(top_srcdir) \
 	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-recursive
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -813,24 +854,23 @@ ps-am:
 
 uninstall-am: uninstall-ipseclibLTLIBRARIES
 
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
-	install-am install-strip tags-recursive
-
-.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
-	all all-am check check-am clean clean-generic \
-	clean-ipseclibLTLIBRARIES clean-libtool ctags ctags-recursive \
-	distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipseclibLTLIBRARIES install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
-	uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+.MAKE: $(am__recursive_targets) install-am install-strip
+
+.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
+	check-am clean clean-generic clean-ipseclibLTLIBRARIES \
+	clean-libtool cscopelist-am ctags ctags-am distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipseclibLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
+	uninstall-ipseclibLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index bbcb62add..66e14f98b 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -224,7 +224,7 @@ static bool create_aead(private_esp_context_t *this, int alg,
 	if (!this->aead)
 	{
 		DBG1(DBG_ESP, "failed to create ESP context: unsupported AEAD "
-			 "algorithm");
+			 "algorithm %N", encryption_algorithm_names, alg);
 		return FALSE;
 	}
 	if (!this->aead->set_key(this->aead, key))
@@ -244,19 +244,11 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg,
 	crypter_t *crypter = NULL;
 	signer_t *signer = NULL;
 
-	switch (enc_alg)
-	{
-		case ENCR_AES_CBC:
-			crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
-												  enc_key.len);
-			break;
-		default:
-			break;
-	}
+	crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_key.len);
 	if (!crypter)
 	{
 		DBG1(DBG_ESP, "failed to create ESP context: unsupported encryption "
-			 "algorithm");
+			 "algorithm %N", encryption_algorithm_names, enc_alg);
 		goto failed;
 	}
 	if (!crypter->set_key(crypter, enc_key))
@@ -266,21 +258,11 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg,
 		goto failed;
 	}
 
-	switch (int_alg)
-	{
-		case AUTH_HMAC_SHA1_96:
-		case AUTH_HMAC_SHA2_256_128:
-		case AUTH_HMAC_SHA2_384_192:
-		case AUTH_HMAC_SHA2_512_256:
-			signer = lib->crypto->create_signer(lib->crypto, int_alg);
-			break;
-		default:
-			break;
-	}
+	signer = lib->crypto->create_signer(lib->crypto, int_alg);
 	if (!signer)
 	{
 		DBG1(DBG_ESP, "failed to create ESP context: unsupported integrity "
-			 "algorithm");
+			 "algorithm %N", integrity_algorithm_names, int_alg);
 		goto failed;
 	}
 	if (!signer->set_key(signer, int_key))
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index 61389daa4..ebe13ce77 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -232,7 +232,6 @@ METHOD(esp_packet_t, decrypt, status_t,
 		return PARSE_ERROR;
 	}
 	ciphertext = reader->peek(reader);
-	ciphertext.len += icv.len;
 	reader->destroy(reader);
 
 	if (!esp_context->verify_seqno(esp_context, seq))
@@ -245,6 +244,8 @@ METHOD(esp_packet_t, decrypt, status_t,
 	DBG3(DBG_ESP, "ESP decryption:\n  SPI %.8x [seq %u]\n  IV %B\n  "
 		 "encrypted %B\n  ICV %B", spi, seq, &iv, &ciphertext, &icv);
 
+	/* include ICV in ciphertext for decryption/verification */
+	ciphertext.len += icv.len;
 	/* aad = spi + seq */
 	aad = chunk_create(data.ptr, 8);
 
@@ -283,7 +284,7 @@ METHOD(esp_packet_t, encrypt, status_t,
 	u_int32_t next_seqno;
 	size_t blocksize, plainlen;
 	aead_t *aead;
-	rng_t *rng;
+	iv_gen_t *iv_gen;
 
 	this->packet->set_data(this->packet, chunk_empty);
 
@@ -293,13 +294,13 @@ METHOD(esp_packet_t, encrypt, status_t,
 		return FAILED;
 	}
 
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	aead = esp_context->get_aead(esp_context);
+	iv_gen = aead->get_iv_gen(aead);
+	if (!iv_gen)
 	{
-		DBG1(DBG_ESP, "ESP encryption failed: could not find RNG");
+		DBG1(DBG_ESP, "ESP encryption failed: no IV generator");
 		return NOT_FOUND;
 	}
-	aead = esp_context->get_aead(esp_context);
 
 	blocksize = aead->get_block_size(aead);
 	iv.len = aead->get_iv_size(aead);
@@ -309,7 +310,9 @@ METHOD(esp_packet_t, encrypt, status_t,
 	payload = this->payload ? this->payload->get_encoding(this->payload)
 							: chunk_empty;
 	plainlen = payload.len + 2;
-	padding.len = blocksize - (plainlen % blocksize);
+	padding.len = pad_len(plainlen, blocksize);
+	/* ICV must be on a 4-byte boundary */
+	padding.len += pad_len(iv.len + plainlen + padding.len, 4);
 	plainlen += padding.len;
 
 	/* len = spi, seq, IV, plaintext, ICV */
@@ -319,14 +322,12 @@ METHOD(esp_packet_t, encrypt, status_t,
 	writer->write_uint32(writer, next_seqno);
 
 	iv = writer->skip(writer, iv.len);
-	if (!rng->get_bytes(rng, iv.len, iv.ptr))
+	if (!iv_gen->get_iv(iv_gen, next_seqno, iv.len, iv.ptr))
 	{
 		DBG1(DBG_ESP, "ESP encryption failed: could not generate IV");
 		writer->destroy(writer);
-		rng->destroy(rng);
 		return FAILED;
 	}
-	rng->destroy(rng);
 
 	/* plain-/ciphertext will start here */
 	ciphertext = writer->get_buf(writer);
diff --git a/src/libipsec/esp_packet.h b/src/libipsec/esp_packet.h
index ce8645825..f1941a3ba 100644
--- a/src/libipsec/esp_packet.h
+++ b/src/libipsec/esp_packet.h
@@ -91,7 +91,7 @@ struct esp_packet_t {
 	 * @return					- SUCCESS if encrypted
 	 *							- FAILED if sequence number cycled or any of the
 	 *							  cryptographic functions failed
-	 *							- NOT_FOUND if no suitable RNG could be found
+	 *							- NOT_FOUND if no suitable IV generator provided
 	 */
 	status_t (*encrypt)(esp_packet_t *this, esp_context_t *esp_context,
 						u_int32_t spi);
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index d08e09057..ede9d100a 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -98,7 +98,7 @@ METHOD(ip_packet_t, get_next_header, u_int8_t,
 METHOD(ip_packet_t, clone, ip_packet_t*,
 	private_ip_packet_t *this)
 {
-	return ip_packet_create(this->packet);
+	return ip_packet_create(chunk_clone(this->packet));
 }
 
 METHOD(ip_packet_t, destroy, void,
@@ -139,6 +139,9 @@ ip_packet_t *ip_packet_create(chunk_t packet)
 				goto failed;
 			}
 			ip = (struct ip*)packet.ptr;
+			/* remove any RFC 4303 TFC extra padding */
+			packet.len = min(packet.len, untoh16(&ip->ip_len));
+
 			src = host_create_from_chunk(AF_INET,
 										 chunk_from_thing(ip->ip_src), 0);
 			dst = host_create_from_chunk(AF_INET,
@@ -157,6 +160,9 @@ ip_packet_t *ip_packet_create(chunk_t packet)
 				goto failed;
 			}
 			ip = (struct ip6_hdr*)packet.ptr;
+			/* remove any RFC 4303 TFC extra padding */
+			packet.len = min(packet.len, untoh16(&ip->ip6_plen));
+
 			src = host_create_from_chunk(AF_INET6,
 										 chunk_from_thing(ip->ip6_src), 0);
 			dst = host_create_from_chunk(AF_INET6,
diff --git a/src/libipsec/ipsec_policy_mgr.c b/src/libipsec/ipsec_policy_mgr.c
index 72f94ec20..02dc59d65 100644
--- a/src/libipsec/ipsec_policy_mgr.c
+++ b/src/libipsec/ipsec_policy_mgr.c
@@ -230,7 +230,8 @@ METHOD(ipsec_policy_mgr_t, flush_policies, status_t,
 }
 
 METHOD(ipsec_policy_mgr_t, find_by_packet, ipsec_policy_t*,
-	private_ipsec_policy_mgr_t *this, ip_packet_t *packet, bool inbound)
+	private_ipsec_policy_mgr_t *this, ip_packet_t *packet, bool inbound,
+	u_int32_t reqid)
 {
 	enumerator_t *enumerator;
 	ipsec_policy_entry_t *current;
@@ -245,8 +246,11 @@ METHOD(ipsec_policy_mgr_t, find_by_packet, ipsec_policy_t*,
 		if ((inbound == (policy->get_direction(policy) == POLICY_IN)) &&
 			 policy->match_packet(policy, packet))
 		{
-			found = policy->get_ref(policy);
-			break;
+			if (reqid == 0 || reqid == policy->get_reqid(policy))
+			{
+				found = policy->get_ref(policy);
+				break;
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h
index dfa4b12c3..30406bdb7 100644
--- a/src/libipsec/ipsec_policy_mgr.h
+++ b/src/libipsec/ipsec_policy_mgr.h
@@ -97,10 +97,12 @@ struct ipsec_policy_mgr_t {
 	 *
 	 * @param packet		IP packet to match
 	 * @param inbound		TRUE for an inbound packet
+	 * @param reqid			require a policy with a specific reqid, 0 for any
 	 * @return				reference to the policy, or NULL if none found
 	 */
 	ipsec_policy_t *(*find_by_packet)(ipsec_policy_mgr_t *this,
-									  ip_packet_t *packet, bool inbound);
+									  ip_packet_t *packet, bool inbound,
+									  u_int32_t reqid);
 
 	/**
 	 * Destroy an ipsec_policy_mgr_t
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index e142157f8..ee297a34b 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -91,9 +91,10 @@ static void deliver_inbound(private_ipsec_processor_t *this,
 static job_requeue_t process_inbound(private_ipsec_processor_t *this)
 {
 	esp_packet_t *packet;
+	ip_packet_t *ip_packet;
 	ipsec_sa_t *sa;
 	u_int8_t next_header;
-	u_int32_t spi;
+	u_int32_t spi, reqid;
 
 	packet = (esp_packet_t*)this->inbound_queue->dequeue(this->inbound_queue);
 
@@ -126,6 +127,9 @@ static job_requeue_t process_inbound(private_ipsec_processor_t *this)
 		packet->destroy(packet);
 		return JOB_REQUEUE_DIRECT;
 	}
+	ip_packet = packet->get_payload(packet);
+	sa->update_usestats(sa, ip_packet->get_encoding(ip_packet).len);
+	reqid = sa->get_reqid(sa);
 	ipsec->sas->checkin(ipsec->sas, sa);
 
 	next_header = packet->get_next_header(packet);
@@ -135,13 +139,11 @@ static job_requeue_t process_inbound(private_ipsec_processor_t *this)
 		case IPPROTO_IPV6:
 		{
 			ipsec_policy_t *policy;
-			ip_packet_t *ip_packet;
 
-			ip_packet = packet->get_payload(packet);
 			policy = ipsec->policies->find_by_packet(ipsec->policies,
-													 ip_packet, TRUE);
+													 ip_packet, TRUE, reqid);
 			if (policy)
-			{	/* TODO-IPSEC: update policy/sa stats? */
+			{
 				deliver_inbound(this, packet);
 				policy->destroy(policy);
 				break;
@@ -193,7 +195,7 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this)
 
 	packet = (ip_packet_t*)this->outbound_queue->dequeue(this->outbound_queue);
 
-	policy = ipsec->policies->find_by_packet(ipsec->policies, packet, FALSE);
+	policy = ipsec->policies->find_by_packet(ipsec->policies, packet, FALSE, 0);
 	if (!policy)
 	{
 		DBG2(DBG_ESP, "no matching outbound IPsec policy for %H == %H",
@@ -224,7 +226,7 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this)
 		policy->destroy(policy);
 		return JOB_REQUEUE_DIRECT;
 	}
-	/* TODO-IPSEC: update policy/sa counters? */
+	sa->update_usestats(sa, packet->get_encoding(packet).len);
 	ipsec->sas->checkin(ipsec->sas, sa);
 	policy->destroy(policy);
 	send_outbound(this, esp_packet);
diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c
index 2ff5cff55..6ec8bd25e 100644
--- a/src/libipsec/ipsec_sa.c
+++ b/src/libipsec/ipsec_sa.c
@@ -15,6 +15,7 @@
  * for more details.
  */
 
+#include "ipsec.h"
 #include "ipsec_sa.h"
 
 #include <library.h>
@@ -81,6 +82,28 @@ struct private_ipsec_sa_t {
 	 * ESP context
 	 */
 	esp_context_t *esp_context;
+
+	/**
+	 * Usage statistics
+	 */
+	struct {
+		/** last time of use */
+		time_t time;
+		/** number of packets processed */
+		u_int64_t packets;
+		/** number of bytes processed */
+		u_int64_t bytes;
+	} use;
+
+	/**
+	 * Has the SA soft-expired?
+	 */
+	bool soft_expired;
+
+	/**
+	 * Has the SA hard-expired?
+	 */
+	bool hard_expired;
 };
 
 METHOD(ipsec_sa_t, get_source, host_t*,
@@ -145,10 +168,81 @@ METHOD(ipsec_sa_t, get_esp_context, esp_context_t*,
 	return this->esp_context;
 }
 
+METHOD(ipsec_sa_t, get_usestats, void,
+	private_ipsec_sa_t *this, u_int64_t *bytes, u_int64_t *packets,
+	time_t *time)
+{
+	if (bytes)
+	{
+		*bytes = this->use.bytes;
+	}
+	if (packets)
+	{
+		*packets = this->use.packets;
+	}
+	if (time)
+	{
+		*time = this->use.time;
+	}
+}
+
+METHOD(ipsec_sa_t, expire, void,
+	private_ipsec_sa_t *this, bool hard)
+{
+	if (hard)
+	{
+		if (!this->hard_expired)
+		{
+			this->hard_expired = TRUE;
+			ipsec->events->expire(ipsec->events, this->reqid, this->protocol,
+								  this->spi, TRUE);
+		}
+	}
+	else
+	{
+		if (!this->hard_expired && !this->soft_expired)
+		{
+			this->soft_expired = TRUE;
+			ipsec->events->expire(ipsec->events, this->reqid, this->protocol,
+								  this->spi, FALSE);
+		}
+	}
+}
+
+METHOD(ipsec_sa_t, update_usestats, void,
+	private_ipsec_sa_t *this, u_int32_t bytes)
+{
+	this->use.time = time_monotonic(NULL);
+	this->use.packets++;
+	this->use.bytes += bytes;
+
+	if (this->lifetime.packets.life &&
+		this->use.packets >= this->lifetime.packets.life)
+	{
+		return expire(this, TRUE);
+	}
+	if (this->lifetime.bytes.life &&
+		this->use.bytes >= this->lifetime.bytes.life)
+	{
+		return expire(this, TRUE);
+	}
+	if (this->lifetime.packets.rekey &&
+		this->use.packets >= this->lifetime.packets.rekey)
+	{
+		return expire(this, FALSE);
+	}
+	if (this->lifetime.bytes.rekey &&
+		this->use.bytes >= this->lifetime.bytes.rekey)
+	{
+		return expire(this, FALSE);
+	}
+}
+
 METHOD(ipsec_sa_t, match_by_spi_dst, bool,
 	private_ipsec_sa_t *this, u_int32_t spi, host_t *dst)
 {
-	return this->spi == spi && this->dst->ip_equals(this->dst, dst);
+	return this->spi == spi && this->dst->ip_equals(this->dst, dst) &&
+		   !this->hard_expired;
 }
 
 METHOD(ipsec_sa_t, match_by_spi_src_dst, bool,
@@ -161,7 +255,8 @@ METHOD(ipsec_sa_t, match_by_spi_src_dst, bool,
 METHOD(ipsec_sa_t, match_by_reqid, bool,
 	private_ipsec_sa_t *this, u_int32_t reqid, bool inbound)
 {
-	return this->reqid == reqid && this->inbound == inbound;
+	return this->reqid == reqid && this->inbound == inbound &&
+		   !this->hard_expired;
 }
 
 METHOD(ipsec_sa_t, destroy, void,
@@ -227,6 +322,9 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
 			.match_by_spi_src_dst = _match_by_spi_src_dst,
 			.match_by_reqid = _match_by_reqid,
 			.get_esp_context = _get_esp_context,
+			.get_usestats = _get_usestats,
+			.update_usestats = _update_usestats,
+			.expire = _expire,
 		},
 		.spi = spi,
 		.src = src->clone(src),
diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h
index dec688e68..5e69f18cf 100644
--- a/src/libipsec/ipsec_sa.h
+++ b/src/libipsec/ipsec_sa.h
@@ -110,8 +110,37 @@ struct ipsec_sa_t {
 	esp_context_t *(*get_esp_context)(ipsec_sa_t *this);
 
 	/**
+	 * Get usage statistics for this SA.
+	 *
+	 * @param bytes		receives number of processed bytes, or NULL
+	 * @param packets	receives number of processed packets, or NULL
+	 * @param time		receives last use time of this SA, or NULL
+	 */
+	void (*get_usestats)(ipsec_sa_t *this, u_int64_t *bytes, u_int64_t *packets,
+						 time_t *time);
+
+	/**
+	 * Record en/decryption of a packet to update usage statistics.
+	 *
+	 * @param bytes		length of packet processed
+	 */
+	void (*update_usestats)(ipsec_sa_t *this, u_int32_t bytes);
+
+	/**
+	 * Expire this SA, soft or hard.
+	 *
+	 * A soft expire triggers a rekey, a hard expire blocks the SA and
+	 * triggers a delete for the SA.
+	 *
+	 * @param hard		TRUE for hard, FALSE for soft
+	 */
+	void (*expire)(ipsec_sa_t *this, bool hard);
+
+	/**
 	 * Check if this SA matches all given parameters
 	 *
+	 * Only matches if the SA has not yet expired.
+	 *
 	 * @param spi		SPI
 	 * @param dst		destination address
 	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
@@ -132,6 +161,8 @@ struct ipsec_sa_t {
 	/**
 	 * Check if this SA matches all given parameters
 	 *
+	 * Only matches if the SA has not yet expired.
+	 *
 	 * @param reqid		reqid
 	 * @param inbound	TRUE for inbound SA, FALSE for outbound
 	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index 928a53d50..1db1776c0 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -299,12 +299,10 @@ static job_requeue_t sa_expired(ipsec_sa_expired_t *expired)
 	if (this->sas->find_first(this->sas, (void*)match_entry_by_ptr,
 							  NULL, expired->entry) == SUCCESS)
 	{
-		u_int32_t hard_offset = expired->hard_offset;
-		ipsec_sa_t *sa = expired->entry->sa;
+		u_int32_t hard_offset;
 
-		ipsec->events->expire(ipsec->events, sa->get_reqid(sa),
-							  sa->get_protocol(sa), sa->get_spi(sa),
-							  hard_offset == 0);
+		hard_offset = expired->hard_offset;
+		expired->entry->sa->expire(expired->entry->sa, hard_offset == 0);
 		if (hard_offset)
 		{	/* soft limit reached, schedule hard expire */
 			expired->hard_offset = 0;
@@ -530,6 +528,28 @@ METHOD(ipsec_sa_mgr_t, update_sa, status_t,
 	return SUCCESS;
 }
 
+METHOD(ipsec_sa_mgr_t, query_sa, status_t,
+	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets, time_t *time)
+{
+	ipsec_sa_entry_t *entry = NULL;
+
+	this->mutex->lock(this->mutex);
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
+							 (void**)&entry, &spi, src, dst) == SUCCESS &&
+		wait_for_entry(this, entry))
+	{
+		entry->sa->get_usestats(entry->sa, bytes, packets, time);
+		/* checkin the entry */
+		entry->locked = FALSE;
+		entry->condvar->signal(entry->condvar);
+	}
+	this->mutex->unlock(this->mutex);
+
+	return entry ? SUCCESS : NOT_FOUND;
+}
+
 METHOD(ipsec_sa_mgr_t, del_sa, status_t,
 	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int32_t spi,
 	u_int8_t protocol, u_int16_t cpi, mark_t mark)
@@ -653,6 +673,7 @@ ipsec_sa_mgr_t *ipsec_sa_mgr_create()
 			.get_spi = _get_spi,
 			.add_sa = _add_sa,
 			.update_sa = _update_sa,
+			.query_sa = _query_sa,
 			.del_sa = _del_sa,
 			.checkout_by_spi = _checkout_by_spi,
 			.checkout_by_reqid = _checkout_by_reqid,
diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
index e9ce5ee8f..8c234cefa 100644
--- a/src/libipsec/ipsec_sa_mgr.h
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -109,6 +109,23 @@ struct ipsec_sa_mgr_t {
 						  bool encap, bool new_encap, mark_t mark);
 
 	/**
+	 * Query the number of bytes processed by an SA from the SAD.
+	 *
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param mark			optional mark for this SA
+	 * @param[out] bytes	the number of bytes processed by SA
+	 * @param[out] packets	number of packets processed by SA
+	 * @param[out] time		last (monotonic) time of SA use
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*query_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
+						 u_int32_t spi, u_int8_t protocol, mark_t mark,
+						 u_int64_t *bytes, u_int64_t *packets, time_t *time);
+
+	/**
 	 * Delete a previously added SA
 	 *
 	 * @param spi			SPI of the SA