509 files changed, 11662 insertions, 6000 deletions

diff --git a/src/Makefile.am b/src/Makefile.am
index 9608a3a13..a9df10cc6 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -4,10 +4,6 @@ if USE_LIBSTRONGSWAN
   SUBDIRS += libstrongswan
 endif
 
-if USE_LIBHYDRA
-  SUBDIRS += libhydra
-endif
-
 if USE_LIBIPSEC
   SUBDIRS += libipsec
 endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 7596e7e55..1d012fb22 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -78,39 +78,38 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 @USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan
-@USE_LIBHYDRA_TRUE@am__append_2 = libhydra
-@USE_LIBIPSEC_TRUE@am__append_3 = libipsec
-@USE_SIMAKA_TRUE@am__append_4 = libsimaka
-@USE_TLS_TRUE@am__append_5 = libtls
-@USE_RADIUS_TRUE@am__append_6 = libradius
-@USE_LIBTNCIF_TRUE@am__append_7 = libtncif
-@USE_LIBTNCCS_TRUE@am__append_8 = libtnccs
-@USE_LIBPTTLS_TRUE@am__append_9 = libpttls
-@USE_IMCV_TRUE@am__append_10 = libimcv
-@USE_LIBCHARON_TRUE@am__append_11 = libcharon
-@USE_FILE_CONFIG_TRUE@am__append_12 = starter
-@USE_IPSEC_SCRIPT_TRUE@am__append_13 = ipsec _copyright
-@USE_CHARON_TRUE@am__append_14 = charon
-@USE_SYSTEMD_TRUE@am__append_15 = charon-systemd
-@USE_NM_TRUE@am__append_16 = charon-nm
-@USE_STROKE_TRUE@am__append_17 = stroke
-@USE_UPDOWN_TRUE@am__append_18 = _updown
-@USE_SCEPCLIENT_TRUE@am__append_19 = scepclient
-@USE_PKI_TRUE@am__append_20 = pki
-@USE_SWANCTL_TRUE@am__append_21 = swanctl
-@USE_CONFTEST_TRUE@am__append_22 = conftest
-@USE_DUMM_TRUE@am__append_23 = dumm
-@USE_FAST_TRUE@am__append_24 = libfast
-@USE_MANAGER_TRUE@am__append_25 = manager
-@USE_MEDSRV_TRUE@am__append_26 = medsrv
-@USE_ATTR_SQL_TRUE@am__append_27 = pool
-@USE_ATTR_SQL_FALSE@@USE_SQL_TRUE@am__append_28 = pool
-@USE_TKM_TRUE@am__append_29 = charon-tkm
-@USE_CMD_TRUE@am__append_30 = charon-cmd
-@USE_SVC_TRUE@am__append_31 = charon-svc
-@USE_LIBPTTLS_TRUE@am__append_32 = pt-tls-client
-@USE_INTEGRITY_TEST_TRUE@am__append_33 = checksum
-@USE_AIKGEN_TRUE@am__append_34 = aikgen
+@USE_LIBIPSEC_TRUE@am__append_2 = libipsec
+@USE_SIMAKA_TRUE@am__append_3 = libsimaka
+@USE_TLS_TRUE@am__append_4 = libtls
+@USE_RADIUS_TRUE@am__append_5 = libradius
+@USE_LIBTNCIF_TRUE@am__append_6 = libtncif
+@USE_LIBTNCCS_TRUE@am__append_7 = libtnccs
+@USE_LIBPTTLS_TRUE@am__append_8 = libpttls
+@USE_IMCV_TRUE@am__append_9 = libimcv
+@USE_LIBCHARON_TRUE@am__append_10 = libcharon
+@USE_FILE_CONFIG_TRUE@am__append_11 = starter
+@USE_IPSEC_SCRIPT_TRUE@am__append_12 = ipsec _copyright
+@USE_CHARON_TRUE@am__append_13 = charon
+@USE_SYSTEMD_TRUE@am__append_14 = charon-systemd
+@USE_NM_TRUE@am__append_15 = charon-nm
+@USE_STROKE_TRUE@am__append_16 = stroke
+@USE_UPDOWN_TRUE@am__append_17 = _updown
+@USE_SCEPCLIENT_TRUE@am__append_18 = scepclient
+@USE_PKI_TRUE@am__append_19 = pki
+@USE_SWANCTL_TRUE@am__append_20 = swanctl
+@USE_CONFTEST_TRUE@am__append_21 = conftest
+@USE_DUMM_TRUE@am__append_22 = dumm
+@USE_FAST_TRUE@am__append_23 = libfast
+@USE_MANAGER_TRUE@am__append_24 = manager
+@USE_MEDSRV_TRUE@am__append_25 = medsrv
+@USE_ATTR_SQL_TRUE@am__append_26 = pool
+@USE_ATTR_SQL_FALSE@@USE_SQL_TRUE@am__append_27 = pool
+@USE_TKM_TRUE@am__append_28 = charon-tkm
+@USE_CMD_TRUE@am__append_29 = charon-cmd
+@USE_SVC_TRUE@am__append_30 = charon-svc
+@USE_LIBPTTLS_TRUE@am__append_31 = pt-tls-client
+@USE_INTEGRITY_TEST_TRUE@am__append_32 = checksum
+@USE_AIKGEN_TRUE@am__append_33 = aikgen
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -184,12 +183,12 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
-	libtls libradius libtncif libtnccs libpttls libimcv libcharon \
-	starter ipsec _copyright charon charon-systemd charon-nm \
-	stroke _updown scepclient pki swanctl conftest dumm libfast \
-	manager medsrv pool charon-tkm charon-cmd charon-svc \
-	pt-tls-client checksum aikgen
+DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \
+	libradius libtncif libtnccs libpttls libimcv libcharon starter \
+	ipsec _copyright charon charon-systemd charon-nm stroke \
+	_updown scepclient pki swanctl conftest dumm libfast manager \
+	medsrv pool charon-tkm charon-cmd charon-svc pt-tls-client \
+	checksum aikgen
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -428,6 +427,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -451,8 +452,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_22) $(am__append_23) $(am__append_24) \
 	$(am__append_25) $(am__append_26) $(am__append_27) \
 	$(am__append_28) $(am__append_29) $(am__append_30) \
-	$(am__append_31) $(am__append_32) $(am__append_33) \
-	$(am__append_34)
+	$(am__append_31) $(am__append_32) $(am__append_33)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 2a4838c9a..432bde59b 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -382,6 +382,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index fe31dff64..08fce3e2c 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -359,6 +359,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
index 33ed13397..8fb9126e5 100644
--- a/src/aikgen/Makefile.in
+++ b/src/aikgen/Makefile.in
@@ -385,6 +385,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/charon-cmd/Makefile.am b/src/charon-cmd/Makefile.am
index 73df45072..1f4033aad 100644
--- a/src/charon-cmd/Makefile.am
+++ b/src/charon-cmd/Makefile.am
@@ -12,7 +12,6 @@ charon-cmd.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -20,6 +19,5 @@ AM_CPPFLAGS = \
 
 charon_cmd_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index 64dea34c7..f48410270 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -109,7 +109,6 @@ charon_cmd_OBJECTS = $(am_charon_cmd_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_cmd_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -419,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -442,7 +443,6 @@ charon_cmd_SOURCES = \
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -450,7 +450,6 @@ AM_CPPFLAGS = \
 
 charon_cmd_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index d3b31cc0d..f350198c6 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -26,7 +26,6 @@
 #include <errno.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
@@ -330,11 +329,6 @@ int main(int argc, char *argv[])
 			exit(SS_RC_DAEMON_INTEGRITY);
 		}
 	}
-	atexit(libhydra_deinit);
-	if (!libhydra_init())
-	{
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
 	atexit(libcharon_deinit);
 	if (!libcharon_init())
 	{
diff --git a/src/charon-nm/Makefile.am b/src/charon-nm/Makefile.am
index d3630ffd5..b6f0c8b54 100644
--- a/src/charon-nm/Makefile.am
+++ b/src/charon-nm/Makefile.am
@@ -9,7 +9,6 @@ charon_nm_SOURCES = \
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -21,6 +20,5 @@ AM_CFLAGS = \
 
 charon_nm_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB) ${nm_LIBS}
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 82f6fbcb2..490a08023 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -109,7 +109,6 @@ charon_nm_OBJECTS = $(am_charon_nm_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_nm_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
@@ -390,6 +389,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -412,7 +413,6 @@ charon_nm_SOURCES = \
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -424,7 +424,6 @@ AM_CFLAGS = \
 
 charon_nm_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB) ${nm_LIBS}
 
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index fb090e5d3..cbbed7ac1 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -20,7 +20,6 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include <library.h>
@@ -177,14 +176,6 @@ int main(int argc, char *argv[])
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	if (!libhydra_init())
-	{
-		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
-		libhydra_deinit();
-		library_deinit();
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-
 	if (!libcharon_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
@@ -212,7 +203,6 @@ int main(int argc, char *argv[])
 	{
 		DBG1(DBG_DMN, "integrity tests enabled:");
 		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
-		DBG1(DBG_DMN, "lib    'libhydra': passed file and segment integrity tests");
 		DBG1(DBG_DMN, "lib    'libcharon': passed file and segment integrity tests");
 		DBG1(DBG_DMN, "daemon 'charon-nm': passed file integrity test");
 	}
@@ -260,7 +250,6 @@ int main(int argc, char *argv[])
 
 deinit:
 	libcharon_deinit();
-	libhydra_deinit();
 	library_deinit();
 	return status;
 }
diff --git a/src/charon-svc/Makefile.am b/src/charon-svc/Makefile.am
index ecccf02f5..c91ad08f8 100644
--- a/src/charon-svc/Makefile.am
+++ b/src/charon-svc/Makefile.am
@@ -6,11 +6,9 @@ charon-svc.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
 charon_svc_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
index 1c0a4058d..4f9143d9b 100644
--- a/src/charon-svc/Makefile.in
+++ b/src/charon-svc/Makefile.in
@@ -105,7 +105,6 @@ am_charon_svc_OBJECTS = charon-svc.$(OBJEXT)
 charon_svc_OBJECTS = $(am_charon_svc_OBJECTS)
 charon_svc_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -384,6 +383,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -400,13 +401,11 @@ xml_LIBS = @xml_LIBS@
 charon_svc_SOURCES = charon-svc.c
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
 charon_svc_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la
 
 all: all-am
diff --git a/src/charon-svc/charon-svc.c b/src/charon-svc/charon-svc.c
index 03cbdb871..823b366c0 100644
--- a/src/charon-svc/charon-svc.c
+++ b/src/charon-svc/charon-svc.c
@@ -14,7 +14,6 @@
  */
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 
 #include <utils/backtrace.h>
@@ -190,6 +189,15 @@ static int service_wait()
 }
 
 /**
+ * Add namespace alias
+ */
+static void __attribute__ ((constructor))register_namespace()
+{
+	/* inherit settings from charon */
+	library_add_namespace("charon");
+}
+
+/**
  * Initialize and run charon using a wait function
  */
 static void init_and_run(DWORD dwArgc, LPTSTR *lpszArgv, int (*wait)())
@@ -210,28 +218,22 @@ static void init_and_run(DWORD dwArgc, LPTSTR *lpszArgv, int (*wait)())
 		if (library_init(NULL, SERVICE_NAME))
 		{
 			update_status(SERVICE_START_PENDING);
-			if (libhydra_init())
+			if (libcharon_init())
 			{
+				charon->load_loggers(charon, levels, TRUE);
+				print_version();
 				update_status(SERVICE_START_PENDING);
-				if (libcharon_init())
+				if (charon->initialize(charon, PLUGINS))
 				{
-					charon->load_loggers(charon, levels, TRUE);
-					print_version();
 					update_status(SERVICE_START_PENDING);
-					if (charon->initialize(charon, PLUGINS))
-					{
-						update_status(SERVICE_START_PENDING);
-						lib->plugins->status(lib->plugins, LEVEL_CTRL);
+					lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
-						charon->start(charon);
+					charon->start(charon);
 
-						status.dwWin32ExitCode = wait();
-					}
-					update_status(SERVICE_STOP_PENDING);
-					libcharon_deinit();
+					status.dwWin32ExitCode = wait();
 				}
 				update_status(SERVICE_STOP_PENDING);
-				libhydra_deinit();
+				libcharon_deinit();
 			}
 			update_status(SERVICE_STOP_PENDING);
 			library_deinit();
diff --git a/src/charon-systemd/Makefile.am b/src/charon-systemd/Makefile.am
index 1b9ac150f..9942a3682 100644
--- a/src/charon-systemd/Makefile.am
+++ b/src/charon-systemd/Makefile.am
@@ -7,13 +7,11 @@ charon-systemd.o :	$(top_builddir)/config.status
 
 charon_systemd_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
-	$(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
+	$(systemd_CFLAGS) $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
 	-DPLUGINS=\""${charon_plugins}\""
 
 charon_systemd_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
-	$(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
+	$(systemd_LIBS) $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in
index d6e1c471c..b4f624d45 100644
--- a/src/charon-systemd/Makefile.in
+++ b/src/charon-systemd/Makefile.in
@@ -106,10 +106,10 @@ charon_systemd_OBJECTS = $(am_charon_systemd_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_systemd_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -387,6 +387,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -405,16 +407,14 @@ charon-systemd.c
 
 charon_systemd_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
-	$(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
+	$(systemd_CFLAGS) $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
 	-DPLUGINS=\""${charon_plugins}\""
 
 charon_systemd_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
-	$(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
+	$(systemd_LIBS) $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
 
 all: all-am
 
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index 4286cde82..5c7bbd779 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -31,7 +31,6 @@
 #include <systemd/sd-daemon.h>
 #include <systemd/sd-journal.h>
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include <library.h>
@@ -326,6 +325,15 @@ static plugin_feature_t features[] = {
 };
 
 /**
+ * Add namespace alias
+ */
+static void __attribute__ ((constructor))register_namespace()
+{
+	/* inherit settings from charon */
+	library_add_namespace("charon");
+}
+
+/**
  * Main function, starts the daemon.
  */
 int main(int argc, char *argv[])
@@ -355,12 +363,6 @@ int main(int argc, char *argv[])
 		sd_notifyf(0, "STATUS=integrity check of charon-systemd failed");
 		return SS_RC_INITIALIZATION_FAILED;
 	}
-	atexit(libhydra_deinit);
-	if (!libhydra_init())
-	{
-		sd_notifyf(0, "STATUS=libhydra initialization failed");
-		return SS_RC_INITIALIZATION_FAILED;
-	}
 	atexit(libcharon_deinit);
 	if (!libcharon_init())
 	{
diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am
index d2b81a3ea..ad54eafc0 100644
--- a/src/charon-tkm/Makefile.am
+++ b/src/charon-tkm/Makefile.am
@@ -4,15 +4,13 @@ OBJ = $(abs_top_builddir)/src
 AM_CPPFLAGS = \
 	-include $(abs_top_builddir)/config.h \
 	-I$(SRC)/libstrongswan \
-	-I$(SRC)/libhydra \
 	-I$(SRC)/libcharon
 
 LIBLD = \
 	-L$(OBJ)/libstrongswan/.libs \
-	-L$(OBJ)/libhydra/.libs \
 	-L$(OBJ)/libcharon/.libs
-LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libhydra/.libs:$(OBJ)/libcharon/.libs
-LIBFL = -lstrongswan -lhydra -lcharon
+LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libcharon/.libs
+LIBFL = -lstrongswan -lcharon
 
 DEFS += -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index bff198ab8..81afd4de5 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -329,6 +329,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -347,16 +349,14 @@ OBJ = $(abs_top_builddir)/src
 AM_CPPFLAGS = \
 	-include $(abs_top_builddir)/config.h \
 	-I$(SRC)/libstrongswan \
-	-I$(SRC)/libhydra \
 	-I$(SRC)/libcharon
 
 LIBLD = \
 	-L$(OBJ)/libstrongswan/.libs \
-	-L$(OBJ)/libhydra/.libs \
 	-L$(OBJ)/libcharon/.libs
 
-LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libhydra/.libs:$(OBJ)/libcharon/.libs
-LIBFL = -lstrongswan -lhydra -lcharon
+LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libcharon/.libs
+LIBFL = -lstrongswan -lcharon
 BUILD_OPTS = \
 	-XOBJ_DIR=$(abs_builddir)/obj \
 	-cargs $(AM_CPPFLAGS) $(DEFS) \
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 3923c8ae6..13352e55a 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -26,7 +26,6 @@
 #include <libgen.h>
 #include <errno.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <library.h>
 #include <utils/backtrace.h>
@@ -256,14 +255,6 @@ int main(int argc, char *argv[])
 		exit(status);
 	}
 
-	if (!libhydra_init())
-	{
-		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
-		libhydra_deinit();
-		library_deinit();
-		exit(status);
-	}
-
 	if (!libcharon_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
@@ -391,7 +382,6 @@ int main(int argc, char *argv[])
 deinit:
 	destroy_dh_mapping();
 	libcharon_deinit();
-	libhydra_deinit();
 	library_deinit();
 	tkm_deinit();
 	return status;
diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c
index 74c0d3618..f4107d90a 100644
--- a/src/charon-tkm/src/ees/ees_callbacks.c
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <tkm/constants.h>
 #include <tkm/types.h>
@@ -25,8 +25,7 @@
 void charon_esa_acquire(result_type *res, const sp_id_type sp_id)
 {
 	DBG1(DBG_KNL, "ees: acquire received for reqid %u", sp_id);
-	hydra->kernel_interface->acquire(hydra->kernel_interface, sp_id, NULL,
-									 NULL);
+	charon->kernel->acquire(charon->kernel, sp_id, NULL, NULL);
 	*res = TKM_OK;
 }
 
@@ -47,6 +46,5 @@ void charon_esa_expire(result_type *res, const sp_id_type sp_id,
 
 	DBG1(DBG_KNL, "ees: expire received for reqid %u, spi %x, dst %H", sp_id,
 		 ntohl(spi_rem), dst);
-	hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-									spi_rem, dst, hard != 0);
+	charon->kernel->expire(charon->kernel, protocol, spi_rem, dst, hard != 0);
 }
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index d087bee3f..8bba1f9d9 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -17,7 +17,6 @@
 #include <tests/test_suite.h>
 
 #include <daemon.h>
-#include <hydra.h>
 #include <config/proposal.h>
 #include <encoding/payloads/ike_header.h>
 #include <tkm/client.h>
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
index ac152b690..e3cd2d903 100644
--- a/src/charon-tkm/tests/tests.c
+++ b/src/charon-tkm/tests/tests.c
@@ -18,7 +18,6 @@
 #include <tests/test_runner.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 
 #include "tkm.h"
@@ -50,7 +49,6 @@ static bool test_runner_init(bool init)
 
 	if (init)
 	{
-		libhydra_init();
 		libcharon_init();
 		lib->settings->set_int(lib->settings,
 							   "test-runner.filelog.stdout.default", 0);
@@ -74,8 +72,6 @@ static bool test_runner_init(bool init)
 
 		plugin_loader_add_plugindirs(BUILDDIR "/src/libstrongswan/plugins",
 									 PLUGINS);
-		plugin_loader_add_plugindirs(BUILDDIR "/src/libhydra/plugins",
-									 PLUGINS);
 		plugin_loader_add_plugindirs(BUILDDIR "/src/libcharon/plugins",
 									 PLUGINS);
 		if (charon->initialize(charon, PLUGINS))
@@ -95,7 +91,6 @@ static bool test_runner_init(bool init)
 
 	destroy_dh_mapping();
 	libcharon_deinit();
-	libhydra_deinit();
 	return result;
 }
 
diff --git a/src/charon/Android.mk b/src/charon/Android.mk
index 852d73c10..92a027094 100644
--- a/src/charon/Android.mk
+++ b/src/charon/Android.mk
@@ -8,7 +8,6 @@ charon.c
 # build charon -----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libcharon \
 	$(strongswan_PATH)/src/libstrongswan
 
@@ -23,7 +22,7 @@ LOCAL_ARM_MODE := arm
 
 LOCAL_PRELINK_MODULE := false
 
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libcharon
+LOCAL_SHARED_LIBRARIES += libstrongswan libcharon
 
 include $(BUILD_EXECUTABLE)
 
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 6c5b88eb8..c6a6f40f9 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -7,7 +7,6 @@ charon.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -15,7 +14,6 @@ AM_CPPFLAGS = \
 
 charon_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index e1cc5c202..b4abeff25 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -106,7 +106,6 @@ charon_OBJECTS = $(am_charon_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -386,6 +385,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -404,7 +405,6 @@ charon.c
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -412,7 +412,6 @@ AM_CPPFLAGS = \
 
 charon_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 4c2a9a477..116ce7e93 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -27,7 +27,6 @@
 #include <fcntl.h>
 #include <errno.h>
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include <library.h>
@@ -309,14 +308,6 @@ int main(int argc, char *argv[])
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	if (!libhydra_init())
-	{
-		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
-		libhydra_deinit();
-		library_deinit();
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-
 	if (!libcharon_init())
 	{
 		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
@@ -403,7 +394,6 @@ int main(int argc, char *argv[])
 	{
 		DBG1(DBG_DMN, "integrity tests enabled:");
 		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
-		DBG1(DBG_DMN, "lib    'libhydra': passed file and segment integrity tests");
 		DBG1(DBG_DMN, "lib    'libcharon': passed file and segment integrity tests");
 		DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
 	}
@@ -457,7 +447,6 @@ int main(int argc, char *argv[])
 
 deinit:
 	libcharon_deinit();
-	libhydra_deinit();
 	library_deinit();
 	return status;
 }
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index b358699d0..9cc5fb6b2 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -8,7 +8,6 @@ EXTRA_PROGRAMS = checksum_builder
 checksum_builder_SOURCES = checksum_builder.c
 checksum_builder_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(DLLIB)
 checksum_builder_LDFLAGS = -rpath '$(DESTDIR)$(ipseclibdir)'
@@ -17,7 +16,6 @@ CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\"
 
@@ -35,14 +33,6 @@ if !MONOLITHIC
   AM_CPPFLAGS += -DS_PLUGINS=\""${s_plugins}\""
 endif
 
-if USE_LIBHYDRA
-  deps += $(top_builddir)/src/libhydra/libhydra.la
-  libs += $(DESTDIR)$(ipseclibdir)/libhydra.so
-if !MONOLITHIC
-  AM_CPPFLAGS += -DH_PLUGINS=\""${h_plugins}\""
-endif
-endif
-
 if USE_LIBIPSEC
   deps += $(top_builddir)/src/libipsec/libipsec.la
   libs += $(DESTDIR)$(ipseclibdir)/libipsec.so
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 4e4134625..2584beb76 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -80,34 +80,31 @@ build_triplet = @build@
 host_triplet = @host@
 EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @MONOLITHIC_FALSE@am__append_1 = -DS_PLUGINS=\""${s_plugins}\""
-@USE_LIBHYDRA_TRUE@am__append_2 = $(top_builddir)/src/libhydra/libhydra.la
-@USE_LIBHYDRA_TRUE@am__append_3 = $(DESTDIR)$(ipseclibdir)/libhydra.so
-@MONOLITHIC_FALSE@@USE_LIBHYDRA_TRUE@am__append_4 = -DH_PLUGINS=\""${h_plugins}\""
-@USE_LIBIPSEC_TRUE@am__append_5 = $(top_builddir)/src/libipsec/libipsec.la
-@USE_LIBIPSEC_TRUE@am__append_6 = $(DESTDIR)$(ipseclibdir)/libipsec.so
-@USE_TLS_TRUE@am__append_7 = $(top_builddir)/src/libtls/libtls.la
-@USE_TLS_TRUE@am__append_8 = $(DESTDIR)$(ipseclibdir)/libtls.so
-@USE_RADIUS_TRUE@am__append_9 = $(top_builddir)/src/libradius/libradius.la
-@USE_RADIUS_TRUE@am__append_10 = $(DESTDIR)$(ipseclibdir)/libradius.so
-@USE_LIBPTTLS_TRUE@am__append_11 = $(top_builddir)/src/libpttls/libpttls.la
-@USE_LIBPTTLS_TRUE@am__append_12 = $(DESTDIR)$(ipseclibdir)/libpttls.so
-@USE_LIBTNCCS_TRUE@am__append_13 = $(top_builddir)/src/libtnccs/libtnccs.la
-@USE_LIBTNCCS_TRUE@am__append_14 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
-@MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE@am__append_15 = -DT_PLUGINS=\""${t_plugins}\""
-@USE_SIMAKA_TRUE@am__append_16 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_SIMAKA_TRUE@am__append_17 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
-@USE_IMCV_TRUE@am__append_18 = $(top_builddir)/src/libimcv/libimcv.la
-@USE_IMCV_TRUE@am__append_19 = $(DESTDIR)$(ipseclibdir)/libimcv.so
-@USE_CHARON_TRUE@am__append_20 = $(top_builddir)/src/libcharon/libcharon.la
-@USE_CHARON_TRUE@am__append_21 = $(DESTDIR)$(ipseclibdir)/libcharon.so
-@USE_CHARON_TRUE@am__append_22 = $(DESTDIR)$(ipsecdir)/charon
-@MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_23 = -DC_PLUGINS=\""${c_plugins}\""
-@USE_CMD_TRUE@am__append_24 = $(DESTDIR)$(sbindir)/charon-cmd
-@USE_SCEPCLIENT_TRUE@am__append_25 = $(DESTDIR)$(ipsecdir)/scepclient
-@USE_PKI_TRUE@am__append_26 = $(DESTDIR)$(bindir)/pki
-@USE_SWANCTL_TRUE@am__append_27 = $(DESTDIR)$(sbindir)/swanctl
-@USE_ATTR_SQL_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/pool
-@USE_IMV_ATTESTATION_TRUE@am__append_29 = $(DESTDIR)$(ipsecdir)/attest
+@USE_LIBIPSEC_TRUE@am__append_2 = $(top_builddir)/src/libipsec/libipsec.la
+@USE_LIBIPSEC_TRUE@am__append_3 = $(DESTDIR)$(ipseclibdir)/libipsec.so
+@USE_TLS_TRUE@am__append_4 = $(top_builddir)/src/libtls/libtls.la
+@USE_TLS_TRUE@am__append_5 = $(DESTDIR)$(ipseclibdir)/libtls.so
+@USE_RADIUS_TRUE@am__append_6 = $(top_builddir)/src/libradius/libradius.la
+@USE_RADIUS_TRUE@am__append_7 = $(DESTDIR)$(ipseclibdir)/libradius.so
+@USE_LIBPTTLS_TRUE@am__append_8 = $(top_builddir)/src/libpttls/libpttls.la
+@USE_LIBPTTLS_TRUE@am__append_9 = $(DESTDIR)$(ipseclibdir)/libpttls.so
+@USE_LIBTNCCS_TRUE@am__append_10 = $(top_builddir)/src/libtnccs/libtnccs.la
+@USE_LIBTNCCS_TRUE@am__append_11 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
+@MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE@am__append_12 = -DT_PLUGINS=\""${t_plugins}\""
+@USE_SIMAKA_TRUE@am__append_13 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_SIMAKA_TRUE@am__append_14 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
+@USE_IMCV_TRUE@am__append_15 = $(top_builddir)/src/libimcv/libimcv.la
+@USE_IMCV_TRUE@am__append_16 = $(DESTDIR)$(ipseclibdir)/libimcv.so
+@USE_CHARON_TRUE@am__append_17 = $(top_builddir)/src/libcharon/libcharon.la
+@USE_CHARON_TRUE@am__append_18 = $(DESTDIR)$(ipseclibdir)/libcharon.so
+@USE_CHARON_TRUE@am__append_19 = $(DESTDIR)$(ipsecdir)/charon
+@MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_20 = -DC_PLUGINS=\""${c_plugins}\""
+@USE_CMD_TRUE@am__append_21 = $(DESTDIR)$(sbindir)/charon-cmd
+@USE_SCEPCLIENT_TRUE@am__append_22 = $(DESTDIR)$(ipsecdir)/scepclient
+@USE_PKI_TRUE@am__append_23 = $(DESTDIR)$(bindir)/pki
+@USE_SWANCTL_TRUE@am__append_24 = $(DESTDIR)$(sbindir)/swanctl
+@USE_ATTR_SQL_TRUE@am__append_25 = $(DESTDIR)$(ipsecdir)/pool
+@USE_IMV_ATTESTATION_TRUE@am__append_26 = $(DESTDIR)$(ipsecdir)/attest
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -173,7 +170,6 @@ checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
 am__DEPENDENCIES_1 =
 checksum_builder_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1)
 checksum_builder_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
@@ -453,6 +449,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -475,16 +473,15 @@ libchecksum_la_LDFLAGS = -module -avoid-version -rpath '$(ipseclibdir)'
 checksum_builder_SOURCES = checksum_builder.c
 checksum_builder_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(DLLIB)
 
 checksum_builder_LDFLAGS = -rpath '$(DESTDIR)$(ipseclibdir)'
 CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
-	$(am__append_4) $(am__append_15) $(am__append_23)
+	$(am__append_12) $(am__append_20)
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
 
@@ -493,16 +490,16 @@ AM_CFLAGS = \
 # to the installed libraries. for executables we use the built files directly
 # as these are not relinked during installation.
 deps = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__append_2) $(am__append_5) $(am__append_7) \
-	$(am__append_9) $(am__append_11) $(am__append_13) \
-	$(am__append_16) $(am__append_18) $(am__append_20)
+	$(am__append_2) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_10) $(am__append_13) \
+	$(am__append_15) $(am__append_17)
 libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
-	$(am__append_6) $(am__append_8) $(am__append_10) \
-	$(am__append_12) $(am__append_14) $(am__append_17) \
-	$(am__append_19) $(am__append_21)
-exes = $(am__append_22) $(am__append_24) $(am__append_25) \
-	$(am__append_26) $(am__append_27) $(am__append_28) \
-	$(am__append_29)
+	$(am__append_5) $(am__append_7) $(am__append_9) \
+	$(am__append_11) $(am__append_14) $(am__append_16) \
+	$(am__append_18)
+exes = $(am__append_19) $(am__append_21) $(am__append_22) \
+	$(am__append_23) $(am__append_24) $(am__append_25) \
+	$(am__append_26)
 all: all-am
 
 .SUFFIXES:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index cc8185ecd..65399f5bc 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -19,7 +19,6 @@
 #include <dlfcn.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <collections/enumerator.h>
 
@@ -128,9 +127,8 @@ int main(int argc, char* argv[])
 {
 	int i;
 
-	/* forces link against libhydra/libcharon, imports symbols needed to
+	/* forces link against libcharon, imports symbols needed to
 	 * dlopen plugins */
-	hydra = NULL;
 	charon = NULL;
 
 	/* avoid confusing leak reports in build process */
@@ -159,9 +157,6 @@ int main(int argc, char* argv[])
 #ifdef S_PLUGINS
 	build_plugin_checksums(S_PLUGINS);
 #endif
-#ifdef H_PLUGINS
-	build_plugin_checksums(H_PLUGINS);
-#endif
 #ifdef T_PLUGINS
 	build_plugin_checksums(T_PLUGINS);
 #endif
diff --git a/src/conftest/Makefile.am b/src/conftest/Makefile.am
index eeb26f225..2d4e439da 100644
--- a/src/conftest/Makefile.am
+++ b/src/conftest/Makefile.am
@@ -2,7 +2,6 @@ ipsec_PROGRAMS = conftest
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
@@ -20,7 +19,6 @@ conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 
 conftest_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 78438d8f5..f5647f9d9 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -120,7 +120,6 @@ conftest_OBJECTS = $(am_conftest_OBJECTS)
 am__DEPENDENCIES_1 =
 conftest_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -400,6 +399,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -415,7 +416,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
@@ -432,7 +432,6 @@ conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 
 conftest_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index edfe0ca35..d10f3c7b7 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -356,7 +356,6 @@ static void cleanup()
 	free(conftest->suite_dir);
 	free(conftest);
 	libcharon_deinit();
-	libhydra_deinit();
 	library_deinit();
 }
 
@@ -442,16 +441,9 @@ int main(int argc, char *argv[])
 		library_deinit();
 		return SS_RC_LIBSTRONGSWAN_INTEGRITY;
 	}
-	if (!libhydra_init())
-	{
-		libhydra_deinit();
-		library_deinit();
-		return SS_RC_INITIALIZATION_FAILED;
-	}
 	if (!libcharon_init())
 	{
 		libcharon_deinit();
-		libhydra_deinit();
 		library_deinit();
 		return SS_RC_INITIALIZATION_FAILED;
 	}
diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h
index 6bbdabd07..2d0320429 100644
--- a/src/conftest/conftest.h
+++ b/src/conftest/conftest.h
@@ -21,7 +21,6 @@
 #define CONFTEST_H_
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <credentials/sets/mem_cred.h>
 
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 2ecf61194..6525fbcb4 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -421,6 +421,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 5740544ca..9f4becb40 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -329,6 +329,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index d4dafcb0c..72022ed56 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -363,6 +363,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index fa46e79f1..686c1ce80 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.4.0dr1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.4.0rc1" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 89c7ef753..a002614fe 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -259,10 +259,15 @@ stop)
 			loop=110
 			while [ $loop -gt 0 ] ; do
 				kill -0 $spid 2>/dev/null || break
-				sleep 0.1
+				sleep 0.1 2>/dev/null
+				if [ $? -ne 0 ]
+				then
+					sleep 1
+					loop=$(($loop - 9))
+				fi
 				loop=$(($loop - 1))
 			done
-			if [ $loop -eq 0 ]
+			if [ $loop -le 0 ]
 			then
 				kill -KILL $spid 2>/dev/null
 				rm -f $IPSEC_STARTER_PID
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 10085794b..55e6bc58b 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -47,7 +47,10 @@ encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
 encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
-kernel/kernel_handler.c kernel/kernel_handler.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.c kernel/kernel_net.h \
+kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
 network/socket_manager.c network/socket_manager.h \
@@ -56,6 +59,7 @@ processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
 processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
+processing/jobs/redirect_job.c processing/jobs/redirect_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
@@ -81,6 +85,7 @@ sa/child_sa_manager.c sa/child_sa_manager.h \
 sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
+sa/redirect_provider.h sa/redirect_manager.c sa/redirect_manager.h \
 sa/task.c sa/task.h
 
 libcharon_la_SOURCES += \
@@ -104,8 +109,10 @@ sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
+sa/ikev2/tasks/ike_redirect.c sa/ikev2/tasks/ike_redirect.h \
 sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
-sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h \
+sa/ikev2/tasks/ike_verify_peer_cert.c sa/ikev2/tasks/ike_verify_peer_cert.h
 
 libcharon_la_SOURCES += \
 sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
@@ -149,6 +156,8 @@ endif
 
 LOCAL_SRC_FILES += $(call add_plugin, attr)
 
+LOCAL_SRC_FILES += $(call add_plugin, p-cscf)
+
 LOCAL_SRC_FILES += $(call add_plugin, eap-aka)
 
 LOCAL_SRC_FILES += $(call add_plugin, eap-aka-3gpp2)
@@ -216,6 +225,10 @@ endif
 
 LOCAL_SRC_FILES += $(call add_plugin, load-tester)
 
+LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
+
+LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
+
 LOCAL_SRC_FILES += $(call add_plugin, socket-default)
 
 LOCAL_SRC_FILES += $(call add_plugin, socket-dynamic)
@@ -228,7 +241,6 @@ endif
 # build libcharon --------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan
 
 LOCAL_CFLAGS := $(strongswan_CFLAGS)
@@ -241,6 +253,6 @@ LOCAL_ARM_MODE := arm
 
 LOCAL_PRELINK_MODULE := false
 
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
+LOCAL_SHARED_LIBRARIES += libstrongswan
 
 include $(BUILD_SHARED_LIBRARY)
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index cd81a5eee..9f0707813 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -8,6 +8,7 @@ attributes/mem_pool.c attributes/mem_pool.h \
 bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
 bus/listeners/logger.h \
+bus/listeners/custom_logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
 config/backend_manager.c config/backend_manager.h config/backend.h \
 config/child_cfg.c config/child_cfg.h \
@@ -45,7 +46,10 @@ encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
 encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
-kernel/kernel_handler.c kernel/kernel_handler.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.c kernel/kernel_net.h \
+kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
 network/socket_manager.c network/socket_manager.h \
@@ -54,6 +58,7 @@ processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
 processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
+processing/jobs/redirect_job.c processing/jobs/redirect_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
@@ -79,6 +84,7 @@ sa/child_sa_manager.c sa/child_sa_manager.h \
 sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
+sa/redirect_provider.h sa/redirect_manager.c sa/redirect_manager.h \
 sa/task.c sa/task.h
 
 if USE_IKEV2
@@ -103,8 +109,10 @@ sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
+sa/ikev2/tasks/ike_redirect.c sa/ikev2/tasks/ike_redirect.h \
 sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
-sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h \
+sa/ikev2/tasks/ike_verify_peer_cert.c sa/ikev2/tasks/ike_verify_peer_cert.h
 endif
 
 if USE_IKEV1
@@ -142,7 +150,6 @@ daemon.lo :		$(top_builddir)/config.status
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
@@ -152,7 +159,6 @@ AM_LDFLAGS = \
 
 libcharon_la_LIBADD = \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(top_builddir)/src/libhydra/libhydra.la \
   -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
 
 if USE_WINDOWS
@@ -483,6 +489,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_P_CSCF
+  SUBDIRS += plugins/p_cscf
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/p_cscf/libstrongswan-p-cscf.la
+endif
+endif
+
 if USE_ANDROID_DNS
   SUBDIRS += plugins/android_dns
 if MONOLITHIC
@@ -511,6 +524,27 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KERNEL_PFKEY
+  SUBDIRS += plugins/kernel_pfkey
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+endif
+endif
+
+if USE_KERNEL_PFROUTE
+  SUBDIRS += plugins/kernel_pfroute
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+endif
+endif
+
+if USE_KERNEL_NETLINK
+  SUBDIRS += plugins/kernel_netlink
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+endif
+endif
+
 if USE_KERNEL_LIBIPSEC
   SUBDIRS += plugins/kernel_libipsec
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 3d425e0b4..2ccae216e 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -99,8 +99,10 @@ host_triplet = @host@
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_redirect.c sa/ikev2/tasks/ike_redirect.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
-@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_verify_peer_cert.c sa/ikev2/tasks/ike_verify_peer_cert.h
 
 @USE_IKEV1_TRUE@am__append_2 = \
 @USE_IKEV1_TRUE@sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
@@ -221,58 +223,66 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_85 = plugins/dhcp/libstrongswan-dhcp.la
 @USE_OSX_ATTR_TRUE@am__append_86 = plugins/osx_attr
 @MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_87 = plugins/osx_attr/libstrongswan-osx-attr.la
-@USE_ANDROID_DNS_TRUE@am__append_88 = plugins/android_dns
-@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_89 = plugins/android_dns/libstrongswan-android-dns.la
-@USE_ANDROID_LOG_TRUE@am__append_90 = plugins/android_log
-@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_91 = plugins/android_log/libstrongswan-android-log.la
-@USE_MAEMO_TRUE@am__append_92 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_93 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_94 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_95 = plugins/ha/libstrongswan-ha.la
-@USE_KERNEL_LIBIPSEC_TRUE@am__append_96 = plugins/kernel_libipsec
-@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_97 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
-@USE_KERNEL_WFP_TRUE@am__append_98 = plugins/kernel_wfp
-@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_99 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
-@USE_KERNEL_IPH_TRUE@am__append_100 = plugins/kernel_iph
-@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_101 = plugins/kernel_iph/libstrongswan-kernel-iph.la
-@USE_WHITELIST_TRUE@am__append_102 = plugins/whitelist
-@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_103 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_LOOKIP_TRUE@am__append_104 = plugins/lookip
-@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_105 = plugins/lookip/libstrongswan-lookip.la
-@USE_ERROR_NOTIFY_TRUE@am__append_106 = plugins/error_notify
-@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_107 = plugins/error_notify/libstrongswan-error-notify.la
-@USE_CERTEXPIRE_TRUE@am__append_108 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_109 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_SYSTIME_FIX_TRUE@am__append_110 = plugins/systime_fix
-@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_111 = plugins/systime_fix/libstrongswan-systime-fix.la
-@USE_LED_TRUE@am__append_112 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_113 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_114 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_115 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_116 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_117 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_118 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_119 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_120 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_121 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_122 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_123 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_124 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_125 = plugins/unity/libstrongswan-unity.la
-@USE_XAUTH_GENERIC_TRUE@am__append_126 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_127 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_128 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_129 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_130 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_131 = plugins/xauth_pam/libstrongswan-xauth-pam.la
-@USE_XAUTH_NOAUTH_TRUE@am__append_132 = plugins/xauth_noauth
-@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_133 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
-@USE_RESOLVE_TRUE@am__append_134 = plugins/resolve
-@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_135 = plugins/resolve/libstrongswan-resolve.la
-@USE_ATTR_TRUE@am__append_136 = plugins/attr
-@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_137 = plugins/attr/libstrongswan-attr.la
-@USE_ATTR_SQL_TRUE@am__append_138 = plugins/attr_sql
-@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_139 = plugins/attr_sql/libstrongswan-attr-sql.la
+@USE_P_CSCF_TRUE@am__append_88 = plugins/p_cscf
+@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_89 = plugins/p_cscf/libstrongswan-p-cscf.la
+@USE_ANDROID_DNS_TRUE@am__append_90 = plugins/android_dns
+@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_91 = plugins/android_dns/libstrongswan-android-dns.la
+@USE_ANDROID_LOG_TRUE@am__append_92 = plugins/android_log
+@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_93 = plugins/android_log/libstrongswan-android-log.la
+@USE_MAEMO_TRUE@am__append_94 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_95 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_96 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_97 = plugins/ha/libstrongswan-ha.la
+@USE_KERNEL_PFKEY_TRUE@am__append_98 = plugins/kernel_pfkey
+@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_99 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+@USE_KERNEL_PFROUTE_TRUE@am__append_100 = plugins/kernel_pfroute
+@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_101 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+@USE_KERNEL_NETLINK_TRUE@am__append_102 = plugins/kernel_netlink
+@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_103 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+@USE_KERNEL_LIBIPSEC_TRUE@am__append_104 = plugins/kernel_libipsec
+@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_105 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+@USE_KERNEL_WFP_TRUE@am__append_106 = plugins/kernel_wfp
+@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_107 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+@USE_KERNEL_IPH_TRUE@am__append_108 = plugins/kernel_iph
+@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_109 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+@USE_WHITELIST_TRUE@am__append_110 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_111 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LOOKIP_TRUE@am__append_112 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_113 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_114 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_115 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_116 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_117 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_SYSTIME_FIX_TRUE@am__append_118 = plugins/systime_fix
+@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_119 = plugins/systime_fix/libstrongswan-systime-fix.la
+@USE_LED_TRUE@am__append_120 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_121 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_122 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_123 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_124 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_125 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_126 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_127 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_128 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_129 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_130 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_131 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_132 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_133 = plugins/unity/libstrongswan-unity.la
+@USE_XAUTH_GENERIC_TRUE@am__append_134 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_135 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_136 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_137 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_138 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_139 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_XAUTH_NOAUTH_TRUE@am__append_140 = plugins/xauth_noauth
+@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_141 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+@USE_RESOLVE_TRUE@am__append_142 = plugins/resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_143 = plugins/resolve/libstrongswan-resolve.la
+@USE_ATTR_TRUE@am__append_144 = plugins/attr
+@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_145 = plugins/attr/libstrongswan-attr.la
+@USE_ATTR_SQL_TRUE@am__append_146 = plugins/attr_sql
+@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_147 = plugins/attr_sql/libstrongswan-attr-sql.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -325,47 +335,47 @@ LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libcharon_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__append_7) $(am__append_9) \
-	$(am__append_11) $(am__append_13) $(am__append_15) \
-	$(am__append_17) $(am__append_19) $(am__append_21) \
-	$(am__append_23) $(am__append_25) $(am__append_27) \
-	$(am__append_29) $(am__append_31) $(am__append_33) \
-	$(am__append_35) $(am__append_37) $(am__append_39) \
-	$(am__append_41) $(am__append_43) $(am__append_45) \
-	$(am__append_47) $(am__append_49) $(am__append_51) \
-	$(am__append_53) $(am__append_54) $(am__append_56) \
-	$(am__append_58) $(am__append_60) $(am__append_62) \
-	$(am__append_64) $(am__append_66) $(am__append_68) \
-	$(am__append_70) $(am__append_72) $(am__append_73) \
-	$(am__append_74) $(am__append_76) $(am__append_78) \
-	$(am__append_79) $(am__append_81) $(am__append_83) \
-	$(am__append_85) $(am__append_87) $(am__append_89) \
-	$(am__append_91) $(am__append_93) $(am__append_95) \
-	$(am__append_97) $(am__append_99) $(am__append_101) \
-	$(am__append_103) $(am__append_105) $(am__append_107) \
-	$(am__append_109) $(am__append_111) $(am__append_113) \
-	$(am__append_115) $(am__append_117) $(am__append_119) \
-	$(am__append_121) $(am__append_123) $(am__append_125) \
-	$(am__append_127) $(am__append_129) $(am__append_131) \
-	$(am__append_133) $(am__append_135) $(am__append_137) \
-	$(am__append_139)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_7) \
+	$(am__append_9) $(am__append_11) $(am__append_13) \
+	$(am__append_15) $(am__append_17) $(am__append_19) \
+	$(am__append_21) $(am__append_23) $(am__append_25) \
+	$(am__append_27) $(am__append_29) $(am__append_31) \
+	$(am__append_33) $(am__append_35) $(am__append_37) \
+	$(am__append_39) $(am__append_41) $(am__append_43) \
+	$(am__append_45) $(am__append_47) $(am__append_49) \
+	$(am__append_51) $(am__append_53) $(am__append_54) \
+	$(am__append_56) $(am__append_58) $(am__append_60) \
+	$(am__append_62) $(am__append_64) $(am__append_66) \
+	$(am__append_68) $(am__append_70) $(am__append_72) \
+	$(am__append_73) $(am__append_74) $(am__append_76) \
+	$(am__append_78) $(am__append_79) $(am__append_81) \
+	$(am__append_83) $(am__append_85) $(am__append_87) \
+	$(am__append_89) $(am__append_91) $(am__append_93) \
+	$(am__append_95) $(am__append_97) $(am__append_99) \
+	$(am__append_101) $(am__append_103) $(am__append_105) \
+	$(am__append_107) $(am__append_109) $(am__append_111) \
+	$(am__append_113) $(am__append_115) $(am__append_117) \
+	$(am__append_119) $(am__append_121) $(am__append_123) \
+	$(am__append_125) $(am__append_127) $(am__append_129) \
+	$(am__append_131) $(am__append_133) $(am__append_135) \
+	$(am__append_137) $(am__append_139) $(am__append_141) \
+	$(am__append_143) $(am__append_145) $(am__append_147)
 am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	attributes/attributes.h attributes/attribute_provider.h \
 	attributes/attribute_handler.h attributes/attribute_manager.c \
 	attributes/attribute_manager.h attributes/mem_pool.c \
 	attributes/mem_pool.h bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
-	bus/listeners/file_logger.c bus/listeners/file_logger.h \
-	config/backend_manager.c config/backend_manager.h \
-	config/backend.h config/child_cfg.c config/child_cfg.h \
-	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
-	config/peer_cfg.h config/proposal.c config/proposal.h \
-	control/controller.c control/controller.h daemon.c daemon.h \
-	encoding/generator.c encoding/generator.h encoding/message.c \
-	encoding/message.h encoding/parser.c encoding/parser.h \
-	encoding/payloads/auth_payload.c \
+	bus/listeners/custom_logger.h bus/listeners/file_logger.c \
+	bus/listeners/file_logger.h config/backend_manager.c \
+	config/backend_manager.h config/backend.h config/child_cfg.c \
+	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
+	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
+	config/proposal.h control/controller.c control/controller.h \
+	daemon.c daemon.h encoding/generator.c encoding/generator.h \
+	encoding/message.c encoding/message.h encoding/parser.c \
+	encoding/parser.h encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
 	encoding/payloads/cert_payload.h \
@@ -407,7 +417,10 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	encoding/payloads/hash_payload.c \
 	encoding/payloads/hash_payload.h \
 	encoding/payloads/fragment_payload.c \
-	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_interface.c \
+	kernel/kernel_interface.h kernel/kernel_ipsec.c \
+	kernel/kernel_ipsec.h kernel/kernel_net.c kernel/kernel_net.h \
+	kernel/kernel_listener.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
 	network/sender.c network/sender.h network/socket.c \
 	network/socket.h network/socket_manager.c \
@@ -420,6 +433,7 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 	processing/jobs/process_message_job.c \
 	processing/jobs/process_message_job.h \
+	processing/jobs/redirect_job.c processing/jobs/redirect_job.h \
 	processing/jobs/rekey_child_sa_job.c \
 	processing/jobs/rekey_child_sa_job.h \
 	processing/jobs/rekey_ike_sa_job.c \
@@ -449,7 +463,8 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	sa/ike_sa_manager.h sa/child_sa_manager.c \
 	sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
-	sa/trap_manager.h sa/task.c sa/task.h sa/ikev2/keymat_v2.c \
+	sa/trap_manager.h sa/redirect_provider.h sa/redirect_manager.c \
+	sa/redirect_manager.h sa/task.c sa/task.h sa/ikev2/keymat_v2.c \
 	sa/ikev2/keymat_v2.h sa/ikev2/task_manager_v2.c \
 	sa/ikev2/task_manager_v2.h \
 	sa/ikev2/authenticators/eap_authenticator.c \
@@ -474,9 +489,12 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 	sa/ikev2/tasks/ike_reauth_complete.c \
 	sa/ikev2/tasks/ike_reauth_complete.h \
+	sa/ikev2/tasks/ike_redirect.c sa/ikev2/tasks/ike_redirect.h \
 	sa/ikev2/tasks/ike_auth_lifetime.c \
 	sa/ikev2/tasks/ike_auth_lifetime.h sa/ikev2/tasks/ike_vendor.c \
-	sa/ikev2/tasks/ike_vendor.h sa/ikev1/keymat_v1.c \
+	sa/ikev2/tasks/ike_vendor.h \
+	sa/ikev2/tasks/ike_verify_peer_cert.c \
+	sa/ikev2/tasks/ike_verify_peer_cert.h sa/ikev1/keymat_v1.c \
 	sa/ikev1/keymat_v1.h sa/ikev1/task_manager_v1.c \
 	sa/ikev1/task_manager_v1.h \
 	sa/ikev1/authenticators/psk_v1_authenticator.c \
@@ -535,8 +553,10 @@ am__dirstamp = $(am__leading_dot)dirstamp
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_rekey.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_reauth.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_reauth_complete.lo \
+@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_redirect.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_auth_lifetime.lo \
-@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_vendor.lo
+@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_vendor.lo \
+@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_verify_peer_cert.lo
 @USE_IKEV1_TRUE@am__objects_2 = sa/ikev1/keymat_v1.lo \
 @USE_IKEV1_TRUE@	sa/ikev1/task_manager_v1.lo \
 @USE_IKEV1_TRUE@	sa/ikev1/authenticators/psk_v1_authenticator.lo \
@@ -595,13 +615,16 @@ am_libcharon_la_OBJECTS = attributes/attributes.lo \
 	encoding/payloads/unknown_payload.lo \
 	encoding/payloads/vendor_id_payload.lo \
 	encoding/payloads/hash_payload.lo \
-	encoding/payloads/fragment_payload.lo kernel/kernel_handler.lo \
+	encoding/payloads/fragment_payload.lo \
+	kernel/kernel_interface.lo kernel/kernel_ipsec.lo \
+	kernel/kernel_net.lo kernel/kernel_handler.lo \
 	network/receiver.lo network/sender.lo network/socket.lo \
 	network/socket_manager.lo processing/jobs/acquire_job.lo \
 	processing/jobs/delete_child_sa_job.lo \
 	processing/jobs/delete_ike_sa_job.lo \
 	processing/jobs/migrate_job.lo \
 	processing/jobs/process_message_job.lo \
+	processing/jobs/redirect_job.lo \
 	processing/jobs/rekey_child_sa_job.lo \
 	processing/jobs/rekey_ike_sa_job.lo \
 	processing/jobs/retransmit_job.lo \
@@ -616,8 +639,9 @@ am_libcharon_la_OBJECTS = attributes/attributes.lo \
 	sa/xauth/xauth_manager.lo sa/authenticator.lo sa/child_sa.lo \
 	sa/ike_sa.lo sa/ike_sa_id.lo sa/keymat.lo sa/ike_sa_manager.lo \
 	sa/child_sa_manager.lo sa/task_manager.lo sa/shunt_manager.lo \
-	sa/trap_manager.lo sa/task.lo $(am__objects_1) \
-	$(am__objects_2) $(am__objects_3) $(am__objects_4)
+	sa/trap_manager.lo sa/redirect_manager.lo sa/task.lo \
+	$(am__objects_1) $(am__objects_2) $(am__objects_3) \
+	$(am__objects_4)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -712,12 +736,14 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/eap_tls plugins/eap_ttls plugins/eap_peap \
 	plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \
 	plugins/medsrv plugins/medcli plugins/dhcp plugins/osx_attr \
-	plugins/android_dns plugins/android_log plugins/maemo \
-	plugins/ha plugins/kernel_libipsec plugins/kernel_wfp \
-	plugins/kernel_iph plugins/whitelist plugins/lookip \
-	plugins/error_notify plugins/certexpire plugins/systime_fix \
-	plugins/led plugins/duplicheck plugins/coupling \
-	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
+	plugins/p_cscf plugins/android_dns plugins/android_log \
+	plugins/maemo plugins/ha plugins/kernel_pfkey \
+	plugins/kernel_pfroute plugins/kernel_netlink \
+	plugins/kernel_libipsec plugins/kernel_wfp plugins/kernel_iph \
+	plugins/whitelist plugins/lookip plugins/error_notify \
+	plugins/certexpire plugins/systime_fix plugins/led \
+	plugins/duplicheck plugins/coupling plugins/radattr \
+	plugins/uci plugins/addrblock plugins/unity \
 	plugins/xauth_generic plugins/xauth_eap plugins/xauth_pam \
 	plugins/xauth_noauth plugins/resolve plugins/attr \
 	plugins/attr_sql tests
@@ -959,6 +985,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -978,15 +1006,15 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
 	attributes/attribute_manager.c attributes/attribute_manager.h \
 	attributes/mem_pool.c attributes/mem_pool.h bus/bus.c \
 	bus/bus.h bus/listeners/listener.h bus/listeners/logger.h \
-	bus/listeners/file_logger.c bus/listeners/file_logger.h \
-	config/backend_manager.c config/backend_manager.h \
-	config/backend.h config/child_cfg.c config/child_cfg.h \
-	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
-	config/peer_cfg.h config/proposal.c config/proposal.h \
-	control/controller.c control/controller.h daemon.c daemon.h \
-	encoding/generator.c encoding/generator.h encoding/message.c \
-	encoding/message.h encoding/parser.c encoding/parser.h \
-	encoding/payloads/auth_payload.c \
+	bus/listeners/custom_logger.h bus/listeners/file_logger.c \
+	bus/listeners/file_logger.h config/backend_manager.c \
+	config/backend_manager.h config/backend.h config/child_cfg.c \
+	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
+	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
+	config/proposal.h control/controller.c control/controller.h \
+	daemon.c daemon.h encoding/generator.c encoding/generator.h \
+	encoding/message.c encoding/message.h encoding/parser.c \
+	encoding/parser.h encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
 	encoding/payloads/cert_payload.h \
@@ -1028,7 +1056,10 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
 	encoding/payloads/hash_payload.c \
 	encoding/payloads/hash_payload.h \
 	encoding/payloads/fragment_payload.c \
-	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_interface.c \
+	kernel/kernel_interface.h kernel/kernel_ipsec.c \
+	kernel/kernel_ipsec.h kernel/kernel_net.c kernel/kernel_net.h \
+	kernel/kernel_listener.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
 	network/sender.c network/sender.h network/socket.c \
 	network/socket.h network/socket_manager.c \
@@ -1041,6 +1072,7 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
 	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 	processing/jobs/process_message_job.c \
 	processing/jobs/process_message_job.h \
+	processing/jobs/redirect_job.c processing/jobs/redirect_job.h \
 	processing/jobs/rekey_child_sa_job.c \
 	processing/jobs/rekey_child_sa_job.h \
 	processing/jobs/rekey_ike_sa_job.c \
@@ -1070,12 +1102,12 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
 	sa/ike_sa_manager.h sa/child_sa_manager.c \
 	sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
-	sa/trap_manager.h sa/task.c sa/task.h $(am__append_1) \
+	sa/trap_manager.h sa/redirect_provider.h sa/redirect_manager.c \
+	sa/redirect_manager.h sa/task.c sa/task.h $(am__append_1) \
 	$(am__append_2) $(am__append_3) $(am__append_5)
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
@@ -1084,32 +1116,33 @@ AM_LDFLAGS = \
   -no-undefined
 
 libcharon_la_LIBADD =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la -lm $(PTHREADLIB) \
-	$(DLLIB) $(SOCKLIB) $(am__append_4) $(am__append_7) \
-	$(am__append_9) $(am__append_11) $(am__append_13) \
-	$(am__append_15) $(am__append_17) $(am__append_19) \
-	$(am__append_21) $(am__append_23) $(am__append_25) \
-	$(am__append_27) $(am__append_29) $(am__append_31) \
-	$(am__append_33) $(am__append_35) $(am__append_37) \
-	$(am__append_39) $(am__append_41) $(am__append_43) \
-	$(am__append_45) $(am__append_47) $(am__append_49) \
-	$(am__append_51) $(am__append_53) $(am__append_54) \
-	$(am__append_56) $(am__append_58) $(am__append_60) \
-	$(am__append_62) $(am__append_64) $(am__append_66) \
-	$(am__append_68) $(am__append_70) $(am__append_72) \
-	$(am__append_73) $(am__append_74) $(am__append_76) \
-	$(am__append_78) $(am__append_79) $(am__append_81) \
-	$(am__append_83) $(am__append_85) $(am__append_87) \
-	$(am__append_89) $(am__append_91) $(am__append_93) \
-	$(am__append_95) $(am__append_97) $(am__append_99) \
-	$(am__append_101) $(am__append_103) $(am__append_105) \
-	$(am__append_107) $(am__append_109) $(am__append_111) \
-	$(am__append_113) $(am__append_115) $(am__append_117) \
-	$(am__append_119) $(am__append_121) $(am__append_123) \
-	$(am__append_125) $(am__append_127) $(am__append_129) \
-	$(am__append_131) $(am__append_133) $(am__append_135) \
-	$(am__append_137) $(am__append_139)
+	$(top_builddir)/src/libstrongswan/libstrongswan.la -lm \
+	$(PTHREADLIB) $(DLLIB) $(SOCKLIB) $(am__append_4) \
+	$(am__append_7) $(am__append_9) $(am__append_11) \
+	$(am__append_13) $(am__append_15) $(am__append_17) \
+	$(am__append_19) $(am__append_21) $(am__append_23) \
+	$(am__append_25) $(am__append_27) $(am__append_29) \
+	$(am__append_31) $(am__append_33) $(am__append_35) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43) $(am__append_45) $(am__append_47) \
+	$(am__append_49) $(am__append_51) $(am__append_53) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_73) $(am__append_74) \
+	$(am__append_76) $(am__append_78) $(am__append_79) \
+	$(am__append_81) $(am__append_83) $(am__append_85) \
+	$(am__append_87) $(am__append_89) $(am__append_91) \
+	$(am__append_93) $(am__append_95) $(am__append_97) \
+	$(am__append_99) $(am__append_101) $(am__append_103) \
+	$(am__append_105) $(am__append_107) $(am__append_109) \
+	$(am__append_111) $(am__append_113) $(am__append_115) \
+	$(am__append_117) $(am__append_119) $(am__append_121) \
+	$(am__append_123) $(am__append_125) $(am__append_127) \
+	$(am__append_129) $(am__append_131) $(am__append_133) \
+	$(am__append_135) $(am__append_137) $(am__append_139) \
+	$(am__append_141) $(am__append_143) $(am__append_145) \
+	$(am__append_147)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_6) $(am__append_8) \
 @MONOLITHIC_FALSE@	$(am__append_10) $(am__append_12) \
@@ -1143,7 +1176,9 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_126) $(am__append_128) \
 @MONOLITHIC_FALSE@	$(am__append_130) $(am__append_132) \
 @MONOLITHIC_FALSE@	$(am__append_134) $(am__append_136) \
-@MONOLITHIC_FALSE@	$(am__append_138) tests
+@MONOLITHIC_FALSE@	$(am__append_138) $(am__append_140) \
+@MONOLITHIC_FALSE@	$(am__append_142) $(am__append_144) \
+@MONOLITHIC_FALSE@	$(am__append_146) tests
 
 # build optional plugins
 ########################
@@ -1179,7 +1214,9 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_126) $(am__append_128) \
 @MONOLITHIC_TRUE@	$(am__append_130) $(am__append_132) \
 @MONOLITHIC_TRUE@	$(am__append_134) $(am__append_136) \
-@MONOLITHIC_TRUE@	$(am__append_138) . tests
+@MONOLITHIC_TRUE@	$(am__append_138) $(am__append_140) \
+@MONOLITHIC_TRUE@	$(am__append_142) $(am__append_144) \
+@MONOLITHIC_TRUE@	$(am__append_146) . tests
 all: all-recursive
 
 .SUFFIXES:
@@ -1386,6 +1423,12 @@ kernel/$(am__dirstamp):
 kernel/$(DEPDIR)/$(am__dirstamp):
 	@$(MKDIR_P) kernel/$(DEPDIR)
 	@: > kernel/$(DEPDIR)/$(am__dirstamp)
+kernel/kernel_interface.lo: kernel/$(am__dirstamp) \
+	kernel/$(DEPDIR)/$(am__dirstamp)
+kernel/kernel_ipsec.lo: kernel/$(am__dirstamp) \
+	kernel/$(DEPDIR)/$(am__dirstamp)
+kernel/kernel_net.lo: kernel/$(am__dirstamp) \
+	kernel/$(DEPDIR)/$(am__dirstamp)
 kernel/kernel_handler.lo: kernel/$(am__dirstamp) \
 	kernel/$(DEPDIR)/$(am__dirstamp)
 network/$(am__dirstamp):
@@ -1420,6 +1463,8 @@ processing/jobs/migrate_job.lo: processing/jobs/$(am__dirstamp) \
 processing/jobs/process_message_job.lo:  \
 	processing/jobs/$(am__dirstamp) \
 	processing/jobs/$(DEPDIR)/$(am__dirstamp)
+processing/jobs/redirect_job.lo: processing/jobs/$(am__dirstamp) \
+	processing/jobs/$(DEPDIR)/$(am__dirstamp)
 processing/jobs/rekey_child_sa_job.lo:  \
 	processing/jobs/$(am__dirstamp) \
 	processing/jobs/$(DEPDIR)/$(am__dirstamp)
@@ -1483,6 +1528,8 @@ sa/child_sa_manager.lo: sa/$(am__dirstamp) \
 sa/task_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/shunt_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/trap_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
+sa/redirect_manager.lo: sa/$(am__dirstamp) \
+	sa/$(DEPDIR)/$(am__dirstamp)
 sa/task.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/$(am__dirstamp):
 	@$(MKDIR_P) sa/ikev2
@@ -1545,10 +1592,15 @@ sa/ikev2/tasks/ike_reauth.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_reauth_complete.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
+sa/ikev2/tasks/ike_redirect.lo: sa/ikev2/tasks/$(am__dirstamp) \
+	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_auth_lifetime.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_vendor.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
+sa/ikev2/tasks/ike_verify_peer_cert.lo:  \
+	sa/ikev2/tasks/$(am__dirstamp) \
+	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev1/$(am__dirstamp):
 	@$(MKDIR_P) sa/ikev1
 	@: > sa/ikev1/$(am__dirstamp)
@@ -1720,6 +1772,9 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@encoding/payloads/$(DEPDIR)/unknown_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@encoding/payloads/$(DEPDIR)/vendor_id_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_interface.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_net.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@network/$(DEPDIR)/receiver.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@network/$(DEPDIR)/sender.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@network/$(DEPDIR)/socket.Plo@am__quote@
@@ -1735,6 +1790,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/migrate_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/process_message_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/redirect_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/rekey_child_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/rekey_ike_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/retransmit_job.Plo@am__quote@
@@ -1751,6 +1807,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/keymat.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/redirect_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/shunt_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/task.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/task_manager.Plo@am__quote@
@@ -1799,8 +1856,10 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_natd.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth_complete.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_redirect.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_rekey.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_vendor.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_verify_peer_cert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/xauth/$(DEPDIR)/xauth_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/xauth/$(DEPDIR)/xauth_method.Plo@am__quote@
 
diff --git a/src/libcharon/attributes/attributes.c b/src/libcharon/attributes/attributes.c
index 9fabcf4e4..0f28d55fa 100644
--- a/src/libcharon/attributes/attributes.c
+++ b/src/libcharon/attributes/attributes.c
@@ -17,7 +17,7 @@
 
 #include "attributes.h"
 
-ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_ADDRESS,
+ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, P_CSCF_IP6_ADDRESS,
 	"INTERNAL_IP4_ADDRESS",
 	"INTERNAL_IP4_NETMASK",
 	"INTERNAL_IP4_DNS",
@@ -36,8 +36,10 @@ ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_
 	"MIP6_HOME_PREFIX",
 	"INTERNAL_IP6_LINK",
 	"INTERNAL_IP6_PREFIX",
-	"HOME_AGENT_ADDRESS");
-ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, HOME_AGENT_ADDRESS,
+	"HOME_AGENT_ADDRESS",
+	"P_CSCF_IP4_ADDRESS",
+	"P_CSCF_IP6_ADDRESS");
+ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, P_CSCF_IP6_ADDRESS,
 	"XAUTH_TYPE",
 	"XAUTH_USER_NAME",
 	"XAUTH_USER_PASSWORD",
@@ -65,7 +67,7 @@ ENUM_NEXT(configuration_attribute_type_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME,
 	"UNITY_DDNS_HOSTNAME");
 ENUM_END(configuration_attribute_type_names, UNITY_DDNS_HOSTNAME);
 
-ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_ADDRESS,
+ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, P_CSCF_IP6_ADDRESS,
 	"ADDR",
 	"MASK",
 	"DNS",
@@ -84,8 +86,10 @@ ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, HOME_
 	"MIP6HPFX",
 	"LINK6",
 	"PFX6",
-	"HOA");
-ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, HOME_AGENT_ADDRESS,
+	"HOA",
+	"PCSCF4",
+	"PCSCF6");
+ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, P_CSCF_IP6_ADDRESS,
 	"X_TYPE",
 	"X_USER",
 	"X_PWD",
diff --git a/src/libcharon/attributes/attributes.h b/src/libcharon/attributes/attributes.h
index 5d1e9f9ba..dd1db4fc3 100644
--- a/src/libcharon/attributes/attributes.h
+++ b/src/libcharon/attributes/attributes.h
@@ -49,6 +49,9 @@ enum configuration_attribute_type_t {
 	INTERNAL_IP6_LINK       = 17,
 	INTERNAL_IP6_PREFIX     = 18,
 	HOME_AGENT_ADDRESS		= 19,
+	/* RFC 7651 */
+	P_CSCF_IP4_ADDRESS		= 20,
+	P_CSCF_IP6_ADDRESS		= 21,
 	/* XAUTH attributes */
 	XAUTH_TYPE              = 16520,
 	XAUTH_USER_NAME         = 16521,
diff --git a/src/libcharon/attributes/mem_pool.c b/src/libcharon/attributes/mem_pool.c
index 279668249..833c3e950 100644
--- a/src/libcharon/attributes/mem_pool.c
+++ b/src/libcharon/attributes/mem_pool.c
@@ -17,7 +17,6 @@
 #include "mem_pool.h"
 
 #include <library.h>
-#include <hydra.h>
 #include <utils/debug.h>
 #include <collections/hashtable.h>
 #include <collections/array.h>
diff --git a/src/libcharon/bus/listeners/custom_logger.h b/src/libcharon/bus/listeners/custom_logger.h
new file mode 100644
index 000000000..a256ad1ec
--- /dev/null
+++ b/src/libcharon/bus/listeners/custom_logger.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup custom_logger custom_logger
+ * @{ @ingroup listeners
+ */
+
+#ifndef CUSTOM_LOGGER_H_
+#define CUSTOM_LOGGER_H_
+
+#include <bus/listeners/logger.h>
+
+typedef struct custom_logger_t custom_logger_t;
+
+/**
+ * Custom logger which implements listener_t.
+ */
+struct custom_logger_t {
+
+	/**
+	 * Implements the logger_t interface.
+	 */
+	logger_t logger;
+
+	/**
+	 * Set the loglevel for a debug group.
+	 *
+	 * @param group		debug group to set
+	 * @param level		max level to log (0..4)
+	 */
+	void (*set_level) (custom_logger_t *this, debug_t group, level_t level);
+
+	/**
+	 * Destroy the custom_logger_t object.
+	 */
+	void (*destroy) (custom_logger_t *this);
+};
+
+/**
+ * Prototype for custom logger construction function pointer.
+ */
+typedef custom_logger_t *(*custom_logger_constructor_t)(const char *name);
+
+#endif /** CUSTOM_LOGGER_H_ @}*/
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index ed7c0d406..3d3c7419b 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -531,6 +531,57 @@ METHOD(child_cfg_t, install_policy, bool,
 	return this->install_policy;
 }
 
+#define LT_PART_EQUALS(a, b) ({ a.life == b.life && a.rekey == b.rekey && a.jitter == b.jitter; })
+#define LIFETIME_EQUALS(a, b) ({  LT_PART_EQUALS(a.time, b.time) && LT_PART_EQUALS(a.bytes, b.bytes) && LT_PART_EQUALS(a.packets, b.packets); })
+
+METHOD(child_cfg_t, equals, bool,
+	private_child_cfg_t *this, child_cfg_t *other_pub)
+{
+	private_child_cfg_t *other = (private_child_cfg_t*)other_pub;
+
+	if (this == other)
+	{
+		return TRUE;
+	}
+	if (this->public.equals != other->public.equals)
+	{
+		return FALSE;
+	}
+	if (!this->proposals->equals_offset(this->proposals, other->proposals,
+										offsetof(proposal_t, equals)))
+	{
+		return FALSE;
+	}
+	if (!this->my_ts->equals_offset(this->my_ts, other->my_ts,
+									offsetof(traffic_selector_t, equals)))
+	{
+		return FALSE;
+	}
+	if (!this->other_ts->equals_offset(this->other_ts, other->other_ts,
+									   offsetof(traffic_selector_t, equals)))
+	{
+		return FALSE;
+	}
+	return this->hostaccess == other->hostaccess &&
+		this->mode == other->mode &&
+		this->start_action == other->start_action &&
+		this->dpd_action == other->dpd_action &&
+		this->close_action == other->close_action &&
+		LIFETIME_EQUALS(this->lifetime, other->lifetime) &&
+		this->use_ipcomp == other->use_ipcomp &&
+		this->inactivity == other->inactivity &&
+		this->reqid == other->reqid &&
+		this->mark_in.value == other->mark_in.value &&
+		this->mark_in.mask == other->mark_in.mask &&
+		this->mark_out.value == other->mark_out.value &&
+		this->mark_out.mask == other->mark_out.mask &&
+		this->tfc == other->tfc &&
+		this->replay_window == other->replay_window &&
+		this->proxy_mode == other->proxy_mode &&
+		this->install_policy == other->install_policy &&
+		streq(this->updown, other->updown);
+}
+
 METHOD(child_cfg_t, get_ref, child_cfg_t*,
 	private_child_cfg_t *this)
 {
@@ -593,6 +644,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 			.set_replay_window = _set_replay_window,
 			.use_proxy_mode = _use_proxy_mode,
 			.install_policy = _install_policy,
+			.equals = _equals,
 			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 9f7a92b70..22641f77e 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -274,6 +274,14 @@ struct child_cfg_t {
 	bool (*install_policy)(child_cfg_t *this);
 
 	/**
+	 * Check if two child_cfg objects are equal.
+	 *
+	 * @param other			candidate to check for equality against this
+	 * @return				TRUE if equal
+	 */
+	bool (*equals)(child_cfg_t *this, child_cfg_t *other);
+
+	/**
 	 * Increase the reference count.
 	 *
 	 * @return				reference to this
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index dee9e4c29..a720e1493 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -371,9 +371,6 @@ METHOD(ike_cfg_t, equals, bool,
 	private_ike_cfg_t *this, ike_cfg_t *other_public)
 {
 	private_ike_cfg_t *other = (private_ike_cfg_t*)other_public;
-	enumerator_t *e1, *e2;
-	proposal_t *p1, *p2;
-	bool eq = TRUE;
 
 	if (this == other)
 	{
@@ -383,25 +380,12 @@ METHOD(ike_cfg_t, equals, bool,
 	{
 		return FALSE;
 	}
-	if (this->proposals->get_count(this->proposals) !=
-		other->proposals->get_count(other->proposals))
+	if (!this->proposals->equals_offset(this->proposals, other->proposals,
+										offsetof(proposal_t, equals)))
 	{
 		return FALSE;
 	}
-	e1 = this->proposals->create_enumerator(this->proposals);
-	e2 = other->proposals->create_enumerator(other->proposals);
-	while (e1->enumerate(e1, &p1) && e2->enumerate(e2, &p2))
-	{
-		if (!p1->equals(p1, p2))
-		{
-			eq = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
-	return (eq &&
+	return
 		this->version == other->version &&
 		this->certreq == other->certreq &&
 		this->force_encap == other->force_encap &&
@@ -409,7 +393,7 @@ METHOD(ike_cfg_t, equals, bool,
 		streq(this->me, other->me) &&
 		streq(this->other, other->other) &&
 		this->my_port == other->my_port &&
-		this->other_port == other->other_port);
+		this->other_port == other->other_port;
 }
 
 METHOD(ike_cfg_t, get_ref, ike_cfg_t*,
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index aa2a39ce5..d28a79507 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2008 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -200,6 +200,117 @@ METHOD(peer_cfg_t, add_child_cfg, void,
 	this->mutex->unlock(this->mutex);
 }
 
+typedef struct {
+	enumerator_t public;
+	linked_list_t *removed;
+	linked_list_t *added;
+	enumerator_t *wrapped;
+	bool add;
+} child_cfgs_replace_enumerator_t;
+
+METHOD(enumerator_t, child_cfgs_replace_enumerate, bool,
+	child_cfgs_replace_enumerator_t *this, child_cfg_t **chd, bool *added)
+{
+	child_cfg_t *child_cfg;
+
+	if (!this->wrapped)
+	{
+		this->wrapped = this->removed->create_enumerator(this->removed);
+	}
+	while (TRUE)
+	{
+		if (this->wrapped->enumerate(this->wrapped, &child_cfg))
+		{
+			if (chd)
+			{
+				*chd = child_cfg;
+			}
+			if (added)
+			{
+				*added = this->add;
+			}
+			return TRUE;
+		}
+		if (this->add)
+		{
+			break;
+		}
+		this->wrapped = this->added->create_enumerator(this->added);
+		this->add = TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, child_cfgs_replace_enumerator_destroy, void,
+	child_cfgs_replace_enumerator_t *this)
+{
+	DESTROY_IF(this->wrapped);
+	this->removed->destroy_offset(this->removed, offsetof(child_cfg_t, destroy));
+	this->added->destroy_offset(this->added, offsetof(child_cfg_t, destroy));
+	free(this);
+}
+
+METHOD(peer_cfg_t, replace_child_cfgs, enumerator_t*,
+	private_peer_cfg_t *this, peer_cfg_t *other_pub)
+{
+	private_peer_cfg_t *other = (private_peer_cfg_t*)other_pub;
+	linked_list_t *removed, *added;
+	enumerator_t *mine, *others;
+	child_cfg_t *my_cfg, *other_cfg;
+	child_cfgs_replace_enumerator_t *enumerator;
+	bool found;
+
+	removed = linked_list_create();
+
+	other->mutex->lock(other->mutex);
+	added = linked_list_create_from_enumerator(
+					other->child_cfgs->create_enumerator(other->child_cfgs));
+	added->invoke_offset(added, offsetof(child_cfg_t, get_ref));
+	other->mutex->unlock(other->mutex);
+
+	this->mutex->lock(this->mutex);
+	others = added->create_enumerator(added);
+	mine = this->child_cfgs->create_enumerator(this->child_cfgs);
+	while (mine->enumerate(mine, &my_cfg))
+	{
+		found = FALSE;
+		while (others->enumerate(others, &other_cfg))
+		{
+			if (my_cfg->equals(my_cfg, other_cfg))
+			{
+				added->remove_at(added, others);
+				other_cfg->destroy(other_cfg);
+				found = TRUE;
+				break;
+			}
+		}
+		added->reset_enumerator(added, others);
+		if (!found)
+		{
+			this->child_cfgs->remove_at(this->child_cfgs, mine);
+			removed->insert_last(removed, my_cfg);
+		}
+	}
+	while (others->enumerate(others, &other_cfg))
+	{
+		this->child_cfgs->insert_last(this->child_cfgs,
+									  other_cfg->get_ref(other_cfg));
+	}
+	others->destroy(others);
+	mine->destroy(mine);
+	this->mutex->unlock(this->mutex);
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_child_cfgs_replace_enumerate,
+			.destroy = (void*)_child_cfgs_replace_enumerator_destroy,
+		},
+		.removed = removed,
+		.added = added,
+	);
+	return &enumerator->public;
+}
+
 /**
  * child_cfg enumerator
  */
@@ -538,10 +649,6 @@ static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
 METHOD(peer_cfg_t, equals, bool,
 	private_peer_cfg_t *this, private_peer_cfg_t *other)
 {
-	enumerator_t *e1, *e2;
-	host_t *vip1, *vip2;
-	char *pool1, *pool2;
-
 	if (this == other)
 	{
 		return TRUE;
@@ -550,44 +657,15 @@ METHOD(peer_cfg_t, equals, bool,
 	{
 		return FALSE;
 	}
-
-	if (this->vips->get_count(this->vips) != other->vips->get_count(other->vips))
+	if (!this->vips->equals_offset(this->vips, other->vips,
+								   offsetof(host_t, ip_equals)))
 	{
 		return FALSE;
 	}
-	e1 = create_virtual_ip_enumerator(this);
-	e2 = create_virtual_ip_enumerator(other);
-	if (e1->enumerate(e1, &vip1) && e2->enumerate(e2, &vip2))
-	{
-		if (!vip1->ip_equals(vip1, vip2))
-		{
-			e1->destroy(e1);
-			e2->destroy(e2);
-			return FALSE;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
-	if (this->pools->get_count(this->pools) !=
-		other->pools->get_count(other->pools))
+	if (!this->pools->equals_function(this->pools, other->pools, (void*)streq))
 	{
 		return FALSE;
 	}
-	e1 = create_pool_enumerator(this);
-	e2 = create_pool_enumerator(other);
-	if (e1->enumerate(e1, &pool1) && e2->enumerate(e2, &pool2))
-	{
-		if (!streq(pool1, pool2))
-		{
-			e1->destroy(e1);
-			e2->destroy(e2);
-			return FALSE;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
 	return (
 		get_ike_version(this) == get_ike_version(other) &&
 		this->cert_policy == other->cert_policy &&
@@ -666,6 +744,10 @@ peer_cfg_t *peer_cfg_create(char *name,
 	{
 		jitter_time = reauth_time;
 	}
+	if (dpd && dpd_timeout && dpd > dpd_timeout)
+	{
+		dpd_timeout = dpd;
+	}
 
 	INIT(this,
 		.public = {
@@ -674,6 +756,7 @@ peer_cfg_t *peer_cfg_create(char *name,
 			.get_ike_cfg = _get_ike_cfg,
 			.add_child_cfg = _add_child_cfg,
 			.remove_child_cfg = (void*)_remove_child_cfg,
+			.replace_child_cfgs = _replace_child_cfgs,
 			.create_child_cfg_enumerator = _create_child_cfg_enumerator,
 			.select_child_cfg = _select_child_cfg,
 			.get_cert_policy = _get_cert_policy,
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 3e780394a..b612a2ef1 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2008 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -154,6 +154,20 @@ struct peer_cfg_t {
 	void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
 
 	/**
+	 * Replace the CHILD configs with those in the given PEER config.
+	 *
+	 * Configs that are equal are not replaced.
+	 *
+	 * The enumerator enumerates the removed and added CHILD configs
+	 * (child_cfg_t*, bool), where the flag is FALSE for removed configs and
+	 * TRUE for added configs.
+	 *
+	 * @param other			other config to get CHILD configs from
+	 * @return				an enumerator over removed/added CHILD configs
+	 */
+	enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other);
+
+	/**
 	 * Create an enumerator for all attached CHILD configs.
 	 *
 	 * @return				an enumerator over all CHILD configs.
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index e59dcd9ec..95b6a00ea 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2008-2014 Tobias Brunner
  * Copyright (C) 2006-2010 Martin Willi
+ * Copyright (C) 2013-2015 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -640,20 +641,41 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 
 	if (aead)
 	{
+		/* Round 1 adds algorithms with at least 128 bit security strength */
 		enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
 		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 		{
 			switch (encryption)
 			{
-				case ENCR_AES_CCM_ICV8:
-				case ENCR_AES_CCM_ICV12:
+				case ENCR_AES_GCM_ICV16:
 				case ENCR_AES_CCM_ICV16:
-				case ENCR_AES_GCM_ICV8:
+				case ENCR_CAMELLIA_CCM_ICV16:
+					/* we assume that we support all AES/Camellia sizes */
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+					break;
+				case ENCR_CHACHA20_POLY1305:
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+					break;
+				default:
+					break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* Round 2 adds algorithms with less than 128 bit security strength */
+		enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+		{
+			switch (encryption)
+			{
 				case ENCR_AES_GCM_ICV12:
-				case ENCR_AES_GCM_ICV16:
-				case ENCR_CAMELLIA_CCM_ICV8:
+				case ENCR_AES_GCM_ICV8:
+				case ENCR_AES_CCM_ICV12:
+				case ENCR_AES_CCM_ICV8:
 				case ENCR_CAMELLIA_CCM_ICV12:
-				case ENCR_CAMELLIA_CCM_ICV16:
+				case ENCR_CAMELLIA_CCM_ICV8:
 					/* we assume that we support all AES/Camellia sizes */
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
@@ -672,6 +694,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 	}
 	else
 	{
+		/* Round 1 adds algorithms with at least 128 bit security strength */
 		enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
 		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 		{
@@ -686,6 +709,18 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
 					break;
+				default:
+					break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* Round 2 adds algorithms with less than 128 bit security strength */
+		enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+		{
+			switch (encryption)
+			{
 				case ENCR_3DES:
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
 					break;
@@ -703,18 +738,33 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			return FALSE;
 		}
 
+		/* Round 1 adds algorithms with at least 128 bit security strength */
 		enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
 		while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
 		{
 			switch (integrity)
 			{
-				case AUTH_HMAC_SHA1_96:
 				case AUTH_HMAC_SHA2_256_128:
 				case AUTH_HMAC_SHA2_384_192:
 				case AUTH_HMAC_SHA2_512_256:
-				case AUTH_HMAC_MD5_96:
+					add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+					break;
+				default:
+					break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* Round 2 adds algorithms with less than 128 bit security strength */
+		enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
+		{
+			switch (integrity)
+			{
 				case AUTH_AES_XCBC_96:
 				case AUTH_AES_CMAC_96:
+				case AUTH_HMAC_SHA1_96:
+				case AUTH_HMAC_MD5_96:
 					add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
 					break;
 				default:
@@ -724,16 +774,15 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 		enumerator->destroy(enumerator);
 	}
 
+	/* Round 1 adds algorithms with at least 128 bit security strength */
 	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
 	{
 		switch (prf)
 		{
-			case PRF_HMAC_SHA1:
 			case PRF_HMAC_SHA2_256:
 			case PRF_HMAC_SHA2_384:
 			case PRF_HMAC_SHA2_512:
-			case PRF_HMAC_MD5:
 			case PRF_AES128_XCBC:
 			case PRF_AES128_CMAC:
 				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
@@ -744,6 +793,63 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 	}
 	enumerator->destroy(enumerator);
 
+	/* Round 2 adds algorithms with less than 128 bit security strength */
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
+	{
+		switch (prf)
+		{
+			case PRF_HMAC_SHA1:
+			case PRF_HMAC_MD5:
+				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* Round 1 adds ECC and NTRU algorithms with at least 128 bit security strength */
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group, &plugin_name))
+	{
+		switch (group)
+		{
+			case ECP_256_BIT:
+			case ECP_384_BIT:
+			case ECP_521_BIT:
+			case ECP_256_BP:
+			case ECP_384_BP:
+			case ECP_512_BP:
+			case NTRU_128_BIT:
+			case NTRU_192_BIT:
+			case NTRU_256_BIT:
+				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* Round 2 adds other algorithms with at least 128 bit security strength */
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group, &plugin_name))
+	{
+		switch (group)
+		{
+			case MODP_3072_BIT:
+			case MODP_4096_BIT:
+			case MODP_8192_BIT:
+				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* Round 3 adds algorithms with less than 128 bit security strength */
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &group, &plugin_name))
 	{
@@ -755,28 +861,16 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case MODP_768_BIT:
 				/* weak */
 				break;
-			case MODP_1024_BIT:
-			case MODP_1536_BIT:
 			case MODP_2048_BIT:
-			case MODP_3072_BIT:
-			case MODP_4096_BIT:
-			case MODP_8192_BIT:
-			case ECP_256_BIT:
-			case ECP_384_BIT:
-			case ECP_521_BIT:
-			case MODP_1024_160:
-			case MODP_2048_224:
 			case MODP_2048_256:
-			case ECP_192_BIT:
+			case MODP_2048_224:
+			case MODP_1536_BIT:
+			case MODP_1024_BIT:
+			case MODP_1024_160:
 			case ECP_224_BIT:
 			case ECP_224_BP:
-			case ECP_256_BP:
-			case ECP_384_BP:
-			case ECP_512_BP:
+			case ECP_192_BIT:
 			case NTRU_112_BIT:
-			case NTRU_128_BIT:
-			case NTRU_192_BIT:
-			case NTRU_256_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
 			default:
@@ -805,21 +899,27 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 			}
 			break;
 		case PROTO_ESP:
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_BLOWFISH,        256);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,          128);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,          192);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,          256);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES,               0);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,         256);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,       0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,        0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,        0);
+			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 			break;
 		case PROTO_AH:
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,       0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,        0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,        0);
+			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 			break;
 		default:
 			break;
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index dce2a7144..cef8b8992 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -16,6 +16,29 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -111,6 +134,70 @@ static void dbg_bus(debug_t group, level_t level, char *fmt, ...)
 }
 
 /**
+ * Data for registered custom loggers
+ */
+typedef struct {
+	/**
+	 * Name of the custom logger (also used for loglevel configuration)
+	 */
+	char *name;
+
+	/**
+	 * Constructor to be called for custom logger creation
+	 */
+	custom_logger_constructor_t constructor;
+
+} custom_logger_entry_t;
+
+#define MAX_CUSTOM_LOGGERS 10
+
+/**
+ * Static array for logger registration using __attribute__((constructor))
+ */
+static custom_logger_entry_t custom_loggers[MAX_CUSTOM_LOGGERS];
+static int custom_logger_count;
+
+/**
+ * Described in header
+ */
+void register_custom_logger(char *name,
+							custom_logger_constructor_t constructor)
+{
+	if (custom_logger_count < MAX_CUSTOM_LOGGERS - 1)
+	{
+		custom_loggers[custom_logger_count].name = name;
+		custom_loggers[custom_logger_count].constructor = constructor;
+		custom_logger_count++;
+	}
+	else
+	{
+		fprintf(stderr, "failed to register custom logger, please increase "
+				"MAX_CUSTOM_LOGGERS");
+	}
+}
+
+/**
+ * Types of supported loggers
+ */
+typedef enum {
+	/**
+	 * Syslog logger instance
+	 */
+	SYS_LOGGER,
+
+	/**
+	 * File logger instance
+	 */
+	FILE_LOGGER,
+
+	/**
+	 * Custom logger instance
+	 */
+	CUSTOM_LOGGER,
+
+} logger_type_t;
+
+/**
  * Some metadata about configured loggers
  */
 typedef struct {
@@ -120,9 +207,9 @@ typedef struct {
 	char *target;
 
 	/**
-	 * TRUE if this is a file logger
+	 * Type of logger
 	 */
-	bool file;
+	logger_type_t type;
 
 	/**
 	 * The actual logger
@@ -130,6 +217,7 @@ typedef struct {
 	union {
 		sys_logger_t *sys;
 		file_logger_t *file;
+		custom_logger_t *custom;
 	} logger;
 
 } logger_entry_t;
@@ -139,13 +227,17 @@ typedef struct {
  */
 static void logger_entry_destroy(logger_entry_t *this)
 {
-	if (this->file)
-	{
-		DESTROY_IF(this->logger.file);
-	}
-	else
+	switch (this->type)
 	{
-		DESTROY_IF(this->logger.sys);
+		case FILE_LOGGER:
+			DESTROY_IF(this->logger.file);
+			break;
+		case SYS_LOGGER:
+			DESTROY_IF(this->logger.sys);
+			break;
+		case CUSTOM_LOGGER:
+			DESTROY_IF(this->logger.custom);
+			break;
 	}
 	free(this->target);
 	free(this);
@@ -156,13 +248,18 @@ static void logger_entry_destroy(logger_entry_t *this)
  */
 static void logger_entry_unregister_destroy(logger_entry_t *this)
 {
-	if (this->file)
+	switch (this->type)
 	{
-		charon->bus->remove_logger(charon->bus, &this->logger.file->logger);
-	}
-	else
-	{
-		charon->bus->remove_logger(charon->bus, &this->logger.sys->logger);
+		case FILE_LOGGER:
+			charon->bus->remove_logger(charon->bus, &this->logger.file->logger);
+			break;
+		case SYS_LOGGER:
+			charon->bus->remove_logger(charon->bus, &this->logger.sys->logger);
+			break;
+		case CUSTOM_LOGGER:
+			charon->bus->remove_logger(charon->bus,
+									   &this->logger.custom->logger);
+			break;
 	}
 	logger_entry_destroy(this);
 }
@@ -170,9 +267,10 @@ static void logger_entry_unregister_destroy(logger_entry_t *this)
 /**
  * Match a logger entry by target and whether it is a file or syslog logger
  */
-static bool logger_entry_match(logger_entry_t *this, char *target, bool *file)
+static bool logger_entry_match(logger_entry_t *this, char *target,
+							   logger_type_t *type)
 {
-	return this->file == *file && streq(this->target, target);
+	return this->type == *type && streq(this->target, target);
 }
 
 /**
@@ -228,28 +326,45 @@ static int get_syslog_facility(char *facility)
  * Returns an existing or newly created logger entry (if found, it is removed
  * from the given linked list of existing loggers)
  */
-static logger_entry_t *get_logger_entry(char *target, bool is_file_logger,
-										linked_list_t *existing)
+static logger_entry_t *get_logger_entry(char *target, logger_type_t type,
+										linked_list_t *existing,
+										custom_logger_constructor_t constructor)
 {
 	logger_entry_t *entry;
 
 	if (existing->find_first(existing, (void*)logger_entry_match,
-							(void**)&entry, target, &is_file_logger) != SUCCESS)
+							(void**)&entry, target, &type) != SUCCESS)
 	{
 		INIT(entry,
 			.target = strdup(target),
-			.file = is_file_logger,
+			.type = type,
 		);
-		if (is_file_logger)
+		switch (type)
 		{
-			entry->logger.file = file_logger_create(target);
-		}
+			case FILE_LOGGER:
+				entry->logger.file = file_logger_create(target);
+				break;
+			case SYS_LOGGER:
 #ifdef HAVE_SYSLOG
-		else
-		{
-			entry->logger.sys = sys_logger_create(get_syslog_facility(target));
-		}
+				entry->logger.sys = sys_logger_create(
+												get_syslog_facility(target));
+				break;
+#else
+				free(entry);
+				return NULL;
 #endif /* HAVE_SYSLOG */
+			case CUSTOM_LOGGER:
+				if (constructor)
+				{
+					entry->logger.custom = constructor(target);
+				}
+				if (!entry->logger.custom)
+				{
+					free(entry);
+					return NULL;
+				}
+				break;
+		}
 	}
 	else
 	{
@@ -266,9 +381,12 @@ static sys_logger_t *add_sys_logger(private_daemon_t *this, char *facility,
 {
 	logger_entry_t *entry;
 
-	entry = get_logger_entry(facility, FALSE, current_loggers);
-	this->loggers->insert_last(this->loggers, entry);
-	return entry->logger.sys;
+	entry = get_logger_entry(facility, SYS_LOGGER, current_loggers, NULL);
+	if (entry)
+	{
+		this->loggers->insert_last(this->loggers, entry);
+	}
+	return entry ? entry->logger.sys : NULL;
 }
 
 /**
@@ -279,9 +397,30 @@ static file_logger_t *add_file_logger(private_daemon_t *this, char *filename,
 {
 	logger_entry_t *entry;
 
-	entry = get_logger_entry(filename, TRUE, current_loggers);
-	this->loggers->insert_last(this->loggers, entry);
-	return entry->logger.file;
+	entry = get_logger_entry(filename, FILE_LOGGER, current_loggers, NULL);
+	if (entry)
+	{
+		this->loggers->insert_last(this->loggers, entry);
+	}
+	return entry ? entry->logger.file : NULL;
+}
+
+ /**
+ * Create or reuse a custom logger
+ */
+static custom_logger_t *add_custom_logger(private_daemon_t *this,
+										  custom_logger_entry_t *custom,
+										  linked_list_t *current_loggers)
+{
+	logger_entry_t *entry;
+
+	entry = get_logger_entry(custom->name, CUSTOM_LOGGER, current_loggers,
+							 custom->constructor);
+	if (entry)
+	{
+		this->loggers->insert_last(this->loggers, entry);
+	}
+	return entry ? entry->logger.custom : NULL;
 }
 
 /**
@@ -300,6 +439,11 @@ static void load_sys_logger(private_daemon_t *this, char *facility,
 	}
 
 	sys_logger = add_sys_logger(this, facility, current_loggers);
+	if (!sys_logger)
+	{
+		return;
+	}
+
 	sys_logger->set_options(sys_logger,
 				lib->settings->get_bool(lib->settings, "%s.syslog.%s.ike_name",
 										FALSE, lib->ns, facility));
@@ -339,6 +483,11 @@ static void load_file_logger(private_daemon_t *this, char *filename,
 						"%s.filelog.%s.append", TRUE, lib->ns, filename);
 
 	file_logger = add_file_logger(this, filename, current_loggers);
+	if (!file_logger)
+	{
+		return;
+	}
+
 	file_logger->set_options(file_logger, time_format, add_ms, ike_name);
 	file_logger->open(file_logger, flush_line, append);
 
@@ -353,12 +502,41 @@ static void load_file_logger(private_daemon_t *this, char *filename,
 	charon->bus->add_logger(charon->bus, &file_logger->logger);
 }
 
+/**
+ * Load the given custom logger configured in strongswan.conf
+ */
+static void load_custom_logger(private_daemon_t *this,
+							   custom_logger_entry_t *entry,
+							   linked_list_t *current_loggers)
+{
+	custom_logger_t *custom_logger;
+	debug_t group;
+	level_t def;
+
+	custom_logger = add_custom_logger(this, entry, current_loggers);
+	if (!custom_logger)
+	{
+		return;
+	}
+
+	def = lib->settings->get_int(lib->settings, "%s.customlog.%s.default", 1,
+								 lib->ns, entry->name);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		custom_logger->set_level(custom_logger, group,
+				lib->settings->get_int(lib->settings, "%s.customlog.%s.%N", def,
+							lib->ns, entry->name, debug_lower_names, group));
+	}
+	charon->bus->add_logger(charon->bus, &custom_logger->logger);
+}
+
 METHOD(daemon_t, load_loggers, void,
 	private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
 {
 	enumerator_t *enumerator;
 	linked_list_t *current_loggers;
 	char *target;
+	int i;
 
 	this->mutex->lock(this->mutex);
 	handle_syslog_identifier(this);
@@ -380,6 +558,11 @@ METHOD(daemon_t, load_loggers, void,
 	}
 	enumerator->destroy(enumerator);
 
+	for (i = 0; i < custom_logger_count; ++i)
+	{
+		load_custom_logger(this, &custom_loggers[i], current_loggers);
+	}
+
 	if (!this->loggers->get_count(this->loggers) && levels)
 	{	/* setup legacy style default loggers configured via command-line */
 		file_logger_t *file_logger;
@@ -431,15 +614,24 @@ METHOD(daemon_t, set_level, void,
 	enumerator = this->loggers->create_enumerator(this->loggers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->file)
-		{
-			entry->logger.file->set_level(entry->logger.file, group, level);
-			charon->bus->add_logger(charon->bus, &entry->logger.file->logger);
-		}
-		else
+		switch (entry->type)
 		{
-			entry->logger.sys->set_level(entry->logger.sys, group, level);
-			charon->bus->add_logger(charon->bus, &entry->logger.sys->logger);
+			case FILE_LOGGER:
+				entry->logger.file->set_level(entry->logger.file, group, level);
+				charon->bus->add_logger(charon->bus,
+										&entry->logger.file->logger);
+				break;
+			case SYS_LOGGER:
+				entry->logger.sys->set_level(entry->logger.sys, group, level);
+				charon->bus->add_logger(charon->bus,
+										&entry->logger.sys->logger);
+				break;
+			case CUSTOM_LOGGER:
+				entry->logger.custom->set_level(entry->logger.custom, group,
+												level);
+				charon->bus->add_logger(charon->bus,
+										&entry->logger.sys->logger);
+				break;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -488,11 +680,13 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->kernel_handler);
 	DESTROY_IF(this->public.traps);
 	DESTROY_IF(this->public.shunts);
+	DESTROY_IF(this->public.redirect);
 	DESTROY_IF(this->public.controller);
 	DESTROY_IF(this->public.eap);
 	DESTROY_IF(this->public.xauth);
 	DESTROY_IF(this->public.backends);
 	DESTROY_IF(this->public.socket);
+	DESTROY_IF(this->public.kernel);
 
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
@@ -670,6 +864,7 @@ private_daemon_t *daemon_create()
 		.ref = 1,
 	);
 	charon = &this->public;
+	this->public.kernel = kernel_interface_create();
 	this->public.attributes = attribute_manager_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
@@ -678,6 +873,7 @@ private_daemon_t *daemon_create()
 	this->public.socket = socket_manager_create();
 	this->public.traps = trap_manager_create();
 	this->public.shunts = shunt_manager_create();
+	this->public.redirect = redirect_manager_create();
 	this->kernel_handler = kernel_handler_create();
 
 	return this;
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index d16bf1ddb..48b9c7ec3 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -16,6 +16,29 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 /**
  * @defgroup libcharon libcharon
  *
@@ -40,7 +63,7 @@
  * @defgroup payloads payloads
  * @ingroup encoding
  *
- * @defgroup ckernel kernel
+ * @defgroup kernel kernel
  * @ingroup libcharon
  *
  * @defgroup network network
@@ -156,15 +179,18 @@
 typedef struct daemon_t daemon_t;
 
 #include <attributes/attribute_manager.h>
+#include <kernel/kernel_interface.h>
 #include <network/sender.h>
 #include <network/receiver.h>
 #include <network/socket_manager.h>
 #include <control/controller.h>
 #include <bus/bus.h>
+#include <bus/listeners/custom_logger.h>
 #include <sa/ike_sa_manager.h>
 #include <sa/child_sa_manager.h>
 #include <sa/trap_manager.h>
 #include <sa/shunt_manager.h>
+#include <sa/redirect_manager.h>
 #include <config/backend_manager.h>
 #include <sa/eap/eap_manager.h>
 #include <sa/xauth/xauth_manager.h>
@@ -215,6 +241,11 @@ struct daemon_t {
 	socket_manager_t *socket;
 
 	/**
+	 * Kernel interface to communicate with kernel
+	 */
+	kernel_interface_t *kernel;
+
+	/**
 	 * A ike_sa_manager_t instance.
 	 */
 	ike_sa_manager_t *ike_sa_manager;
@@ -235,6 +266,11 @@ struct daemon_t {
 	shunt_manager_t *shunts;
 
 	/**
+	 * Manager for IKE redirect providers
+	 */
+	redirect_manager_t *redirect;
+
+	/**
 	 * Manager for the different configuration backends.
 	 */
 	backend_manager_t *backends;
@@ -311,8 +347,8 @@ struct daemon_t {
 						 bool to_stderr);
 
 	/**
-	 * Set the log level for the given log group for all configured file- and
-	 * syslog-loggers.
+	 * Set the log level for the given log group for all configured file-,
+	 * syslog and custom-loggers.
 	 *
 	 * @param group		log group
 	 * @param level		log level
@@ -345,4 +381,15 @@ bool libcharon_init();
  */
 void libcharon_deinit();
 
+/**
+ * Register a custom logger constructor.
+ *
+ * To be called from __attribute__((constructor)) functions.
+ *
+ * @param name				name of the logger (also used for loglevel config)
+ * @param constructor		constructor to create custom logger
+ */
+void register_custom_logger(char *name,
+							custom_logger_constructor_t constructor);
+
 #endif /** DAEMON_H_ @}*/
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 3303024cd..bbdc4629d 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -551,13 +551,13 @@ static payload_order_t aggressive_i_order[] = {
 	{PLV1_NONCE,					0},
 	{PLV1_ID,						0},
 	{PLV1_CERTIFICATE,				0},
+	{PLV1_CERTREQ,					0},
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
 	{PLV1_NAT_D,					0},
 	{PLV1_NAT_D_DRAFT_00_03,		0},
 	{PLV1_SIGNATURE,				0},
 	{PLV1_HASH,						0},
-	{PLV1_CERTREQ,					0},
-	{PLV1_NOTIFY,					0},
-	{PLV1_VENDOR_ID,				0},
 	{PLV1_FRAGMENT,					0},
 };
 
@@ -591,13 +591,13 @@ static payload_order_t aggressive_r_order[] = {
 	{PLV1_NONCE,					0},
 	{PLV1_ID,						0},
 	{PLV1_CERTIFICATE,				0},
+	{PLV1_CERTREQ,					0},
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
 	{PLV1_NAT_D,					0},
 	{PLV1_NAT_D_DRAFT_00_03,		0},
 	{PLV1_SIGNATURE,				0},
 	{PLV1_HASH,						0},
-	{PLV1_CERTREQ,					0},
-	{PLV1_NOTIFY,					0},
-	{PLV1_VENDOR_ID,				0},
 	{PLV1_FRAGMENT,					0},
 };
 
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c
index 481bb7bc6..4ecdf569d 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.c
+++ b/src/libcharon/encoding/payloads/configuration_attribute.c
@@ -132,6 +132,7 @@ METHOD(payload_t, verify, status_t,
 		case INTERNAL_IP4_NBNS:
 		case INTERNAL_ADDRESS_EXPIRY:
 		case INTERNAL_IP4_DHCP:
+		case P_CSCF_IP4_ADDRESS:
 			if (this->length_or_value != 0 && this->length_or_value != 4)
 			{
 				failed = TRUE;
@@ -144,6 +145,13 @@ METHOD(payload_t, verify, status_t,
 			}
 			break;
 		case INTERNAL_IP6_ADDRESS:
+			if (this->type == PLV1_CONFIGURATION_ATTRIBUTE &&
+				this->length_or_value == 16)
+			{	/* 16 bytes are correct for IKEv1, but older releases sent a
+				 * prefix byte so we still accept 0 or 17 as in IKEv2 */
+				break;
+			}
+			/* fall-through */
 		case INTERNAL_IP6_SUBNET:
 			if (this->length_or_value != 0 && this->length_or_value != 17)
 			{
@@ -153,6 +161,7 @@ METHOD(payload_t, verify, status_t,
 		case INTERNAL_IP6_DNS:
 		case INTERNAL_IP6_NBNS:
 		case INTERNAL_IP6_DHCP:
+		case P_CSCF_IP6_ADDRESS:
 			if (this->length_or_value != 0 && this->length_or_value != 16)
 			{
 				failed = TRUE;
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c
index 9c0e2602b..be37d30e5 100644
--- a/src/libcharon/kernel/kernel_handler.c
+++ b/src/libcharon/kernel/kernel_handler.c
@@ -15,7 +15,6 @@
 
 #include "kernel_handler.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/acquire_job.h>
 #include <processing/jobs/delete_child_sa_job.h>
@@ -135,8 +134,7 @@ METHOD(kernel_listener_t, roam, bool,
 METHOD(kernel_handler_t, destroy, void,
 	private_kernel_handler_t *this)
 {
-	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
-											 &this->public.listener);
+	charon->kernel->remove_listener(charon->kernel, &this->public.listener);
 	free(this);
 }
 
@@ -157,8 +155,7 @@ kernel_handler_t *kernel_handler_create()
 		},
 	);
 
-	hydra->kernel_interface->add_listener(hydra->kernel_interface,
-										  &this->public.listener);
+	charon->kernel->add_listener(charon->kernel, &this->public.listener);
 
 	return &this->public;
 }
diff --git a/src/libcharon/kernel/kernel_handler.h b/src/libcharon/kernel/kernel_handler.h
index 48ad6889c..f1fa0bdfc 100644
--- a/src/libcharon/kernel/kernel_handler.h
+++ b/src/libcharon/kernel/kernel_handler.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_handler kernel_handler
- * @{ @ingroup ckernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_HANDLER_H_
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
index 89e95ade9..40c4ee589 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libcharon/kernel/kernel_interface.c
@@ -39,7 +39,6 @@
 
 #include "kernel_interface.h"
 
-#include <hydra.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 #include <collections/linked_list.h>
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
index 45efe8946..6793c6cc6 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libcharon/kernel/kernel_interface.h
@@ -40,7 +40,7 @@
 
 /**
  * @defgroup kernel_interface kernel_interface
- * @{ @ingroup hkernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_INTERFACE_H_
diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libcharon/kernel/kernel_ipsec.c
index 697b1b33d..0440f11bb 100644
--- a/src/libhydra/kernel/kernel_ipsec.c
+++ b/src/libcharon/kernel/kernel_ipsec.c
@@ -15,7 +15,7 @@
 
 #include "kernel_ipsec.h"
 
-#include <hydra.h>
+#include <daemon.h>
 
 /**
  * See header
@@ -25,14 +25,12 @@ bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
 {
 	if (reg)
 	{
-		return hydra->kernel_interface->add_ipsec_interface(
-											hydra->kernel_interface,
+		return charon->kernel->add_ipsec_interface(charon->kernel,
 											(kernel_ipsec_constructor_t)data);
 	}
 	else
 	{
-		return hydra->kernel_interface->remove_ipsec_interface(
-											hydra->kernel_interface,
+		return charon->kernel->remove_ipsec_interface(charon->kernel,
 											(kernel_ipsec_constructor_t)data);
 	}
 }
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
index 2458db5b9..31e06308e 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -18,7 +18,7 @@
 
 /**
  * @defgroup kernel_ipsec kernel_ipsec
- * @{ @ingroup hkernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_IPSEC_H_
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libcharon/kernel/kernel_listener.h
index 8074356a4..6426fae2a 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libcharon/kernel/kernel_listener.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_listener kernel_listener
- * @{ @ingroup hkernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_LISTENER_H_
diff --git a/src/libhydra/kernel/kernel_net.c b/src/libcharon/kernel/kernel_net.c
index 07d8b2999..f169cad14 100644
--- a/src/libhydra/kernel/kernel_net.c
+++ b/src/libcharon/kernel/kernel_net.c
@@ -15,7 +15,7 @@
 
 #include "kernel_net.h"
 
-#include <hydra.h>
+#include <daemon.h>
 
 /**
  * See header
@@ -25,14 +25,12 @@ bool kernel_net_register(plugin_t *plugin, plugin_feature_t *feature,
 {
 	if (reg)
 	{
-		return hydra->kernel_interface->add_net_interface(
-											hydra->kernel_interface,
+		return charon->kernel->add_net_interface(charon->kernel,
 											(kernel_net_constructor_t)data);
 	}
 	else
 	{
-		return hydra->kernel_interface->remove_net_interface(
-											hydra->kernel_interface,
+		return charon->kernel->remove_net_interface(charon->kernel,
 											(kernel_net_constructor_t)data);
 	}
 }
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libcharon/kernel/kernel_net.h
index 4312c17d1..7fc644a7e 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libcharon/kernel/kernel_net.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup kernel_net kernel_net
- * @{ @ingroup hkernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_NET_H_
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index a2f2016ff..ee357ca4d 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -20,7 +20,6 @@
 
 #include "receiver.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <network/socket.h>
 #include <processing/jobs/job.h>
@@ -451,9 +450,8 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 
 	dst = packet->get_destination(packet);
 	src = packet->get_source(packet);
-	if (!hydra->kernel_interface->all_interfaces_usable(hydra->kernel_interface)
-		&& !hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												   dst, NULL))
+	if (!charon->kernel->all_interfaces_usable(charon->kernel)
+		&& !charon->kernel->get_interface(charon->kernel, dst, NULL))
 	{
 		DBG3(DBG_NET, "received packet from %#H to %#H on ignored interface",
 			 src, dst);
diff --git a/src/libcharon/plugins/addrblock/Makefile.am b/src/libcharon/plugins/addrblock/Makefile.am
index 33ee60d86..ddb2706c8 100644
--- a/src/libcharon/plugins/addrblock/Makefile.am
+++ b/src/libcharon/plugins/addrblock/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 0554465b9..b4ae6fa3e 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/android_dns/Makefile.am b/src/libcharon/plugins/android_dns/Makefile.am
index 1a0d6e6f2..e606a832c 100644
--- a/src/libcharon/plugins/android_dns/Makefile.am
+++ b/src/libcharon/plugins/android_dns/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 58cf97b6e..d90149827 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/android_log/Makefile.am b/src/libcharon/plugins/android_log/Makefile.am
index 79c61b51e..9f82f6e60 100644
--- a/src/libcharon/plugins/android_log/Makefile.am
+++ b/src/libcharon/plugins/android_log/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 8ce92e577..64fecd9e3 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/attr/Makefile.am b/src/libcharon/plugins/attr/Makefile.am
index 6bc7e77d8..ecbb76d1a 100644
--- a/src/libcharon/plugins/attr/Makefile.am
+++ b/src/libcharon/plugins/attr/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in
index 486b3c0b0..acb7d07c0 100644
--- a/src/libcharon/plugins/attr/Makefile.in
+++ b/src/libcharon/plugins/attr/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -428,7 +430,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/attr/attr_provider.c b/src/libcharon/plugins/attr/attr_provider.c
index cac0ae4bf..1de571c3f 100644
--- a/src/libcharon/plugins/attr/attr_provider.c
+++ b/src/libcharon/plugins/attr/attr_provider.c
@@ -54,6 +54,8 @@ struct attribute_entry_t {
 	configuration_attribute_type_t type;
 	/** attribute value */
 	chunk_t value;
+	/** associated IKE version */
+	ike_version_t ike;
 };
 
 /**
@@ -66,26 +68,51 @@ static void attribute_destroy(attribute_entry_t *this)
 }
 
 /**
+ * Data for attribute enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	ike_version_t ike;
+} enumerator_data_t;
+
+/**
  * convert enumerator value from attribute_entry
  */
-static bool attr_enum_filter(void *null, attribute_entry_t **in,
+static bool attr_enum_filter(enumerator_data_t *data, attribute_entry_t **in,
 			configuration_attribute_type_t *type, void* none, chunk_t *value)
 {
-	*type = (*in)->type;
-	*value = (*in)->value;
-	return TRUE;
+	if ((*in)->ike == IKE_ANY || (*in)->ike == data->ike)
+	{
+		*type = (*in)->type;
+		*value = (*in)->value;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+CALLBACK(attr_enum_destroy, void,
+	enumerator_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	private_attr_provider_t *this, linked_list_t *pools,
 	ike_sa_t *ike_sa, linked_list_t *vips)
 {
+	enumerator_data_t *data;
+
 	if (vips->get_count(vips))
 	{
+		INIT(data,
+			.lock = this->lock,
+			.ike = ike_sa->get_version(ike_sa),
+		);
 		this->lock->read_lock(this->lock);
 		return enumerator_create_filter(
 				this->attributes->create_enumerator(this->attributes),
-				(void*)attr_enum_filter, this->lock, (void*)this->lock->unlock);
+				(void*)attr_enum_filter, data, attr_enum_destroy);
 	}
 	return enumerator_create_empty();
 }
@@ -116,8 +143,6 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
 		host = host_create_from_string(str, 0);
 		if (host)
 		{
-			entry = malloc_thing(attribute_entry_t);
-
 			if (host->get_family(host) == AF_INET6)
 			{
 				switch (type)
@@ -132,8 +157,11 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
 						break;
 				}
 			}
-			entry->type = type;
-			entry->value = chunk_clone(host->get_address(host));
+			INIT(entry,
+				.type = type,
+				.value = chunk_clone(host->get_address(host)),
+				.ike = IKE_ANY,
+			);
 			host->destroy(host);
 			DBG2(DBG_CFG, "loaded legacy entry attribute %N: %#B",
 				 configuration_attribute_type_names, entry->type, &entry->value);
@@ -149,18 +177,20 @@ typedef struct {
 	char *name;
 	configuration_attribute_type_t v4;
 	configuration_attribute_type_t v6;
+	ike_version_t ike;
 } attribute_type_key_t;
 
 static attribute_type_key_t keys[] = {
-	{"address",			INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS},
-	{"dns",				INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS},
-	{"nbns",			INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS},
-	{"dhcp",			INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP},
-	{"netmask",			INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK},
-	{"server",			INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER},
-	{"subnet",			INTERNAL_IP4_SUBNET,	INTERNAL_IP6_SUBNET},
-	{"split-include",	UNITY_SPLIT_INCLUDE,	UNITY_SPLIT_INCLUDE},
-	{"split-exclude",	UNITY_LOCAL_LAN,		UNITY_LOCAL_LAN},
+	{"address",			INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS,	IKE_ANY},
+	{"dns",				INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS,		IKE_ANY},
+	{"nbns",			INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS,		IKE_ANY},
+	{"dhcp",			INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP,		IKE_ANY},
+	{"netmask",			INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK,	IKE_ANY},
+	{"server",			INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER,	IKE_ANY},
+	{"subnet",			INTERNAL_IP4_SUBNET,	INTERNAL_IP6_SUBNET,	IKE_ANY},
+	{"p-cscf",			P_CSCF_IP4_ADDRESS,		P_CSCF_IP6_ADDRESS,		IKEV2},
+	{"split-include",	UNITY_SPLIT_INCLUDE,	UNITY_SPLIT_INCLUDE,	IKEV1},
+	{"split-exclude",	UNITY_LOCAL_LAN,		UNITY_LOCAL_LAN,		IKEV1},
 };
 
 /**
@@ -275,6 +305,7 @@ static void load_entries(private_attr_provider_t *this)
 			INIT(entry,
 				.type = type,
 				.value = data,
+				.ike = mapped ? mapped->ike : IKE_ANY,
 			);
 			DBG2(DBG_CFG, "loaded attribute %N: %#B",
 				 configuration_attribute_type_names, entry->type, &entry->value);
diff --git a/src/libcharon/plugins/attr_sql/Makefile.am b/src/libcharon/plugins/attr_sql/Makefile.am
index 366c902f7..e65ef36a1 100644
--- a/src/libcharon/plugins/attr_sql/Makefile.am
+++ b/src/libcharon/plugins/attr_sql/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in
index 8f1b3c0ff..8ee9f3f92 100644
--- a/src/libcharon/plugins/attr_sql/Makefile.in
+++ b/src/libcharon/plugins/attr_sql/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/certexpire/Makefile.am b/src/libcharon/plugins/certexpire/Makefile.am
index b8c241dfb..d2d38efea 100644
--- a/src/libcharon/plugins/certexpire/Makefile.am
+++ b/src/libcharon/plugins/certexpire/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index f946d73c1..be19d615e 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/connmark/Makefile.am b/src/libcharon/plugins/connmark/Makefile.am
index cc4d0ec8d..561efa0af 100644
--- a/src/libcharon/plugins/connmark/Makefile.am
+++ b/src/libcharon/plugins/connmark/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in
index 65f53fde9..eaf4f1ec9 100644
--- a/src/libcharon/plugins/connmark/Makefile.in
+++ b/src/libcharon/plugins/connmark/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
index 23df690e8..607316f7b 100644
--- a/src/libcharon/plugins/connmark/connmark_listener.c
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -25,6 +28,14 @@
 #include <linux/netfilter/xt_policy.h>
 #include <linux/netfilter/xt_CONNMARK.h>
 
+/**
+ * Add a struct at the current position in the buffer
+ */
+#define ADD_STRUCT(pos, st, ...) ({\
+	typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\
+	*(st*)_cur = (st){ __VA_ARGS__ };\
+	(st*)_cur;\
+})
 
 typedef struct private_connmark_listener_t private_connmark_listener_t;
 
@@ -90,7 +101,10 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 	}
 	else
 	{
-		if (!iptc_delete_entry(chain, e, "", ipth))
+		u_char matchmask[e->next_offset];
+
+		memset(matchmask, 255, sizeof(matchmask));
+		if (!iptc_delete_entry(chain, e, matchmask, ipth))
 		{
 			DBG1(DBG_CFG, "deleting %s rule failed: %s",
 				 chain, iptc_strerror(errno));
@@ -108,54 +122,54 @@ static bool manage_pre_esp_in_udp(private_connmark_listener_t *this,
 								  u_int mark, u_int32_t spi,
 								  host_t *dst, host_t *src)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_udp udp;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 tm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.udp)),
-			.next_offset = sizeof(ipt),
-			.ip = {
-				.proto = IPPROTO_UDP,
-			},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_udp));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+		.ip = {
+			.proto = IPPROTO_UDP,
 		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
-					.name = "udp",
-				},
+	);
+	if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+		!host2in(src, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "udp",
 			},
 		},
-		.udp = {
-			.spts = { src->get_port(src), src->get_port(src) },
-			.dpts = { dst->get_port(dst), dst->get_port(dst) },
-		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-					.name = "MARK",
-					.revision = 2,
-				},
+	);
+	ADD_STRUCT(pos, struct xt_udp,
+		.spts = { src->get_port(src), src->get_port(src) },
+		.dpts = { dst->get_port(dst), dst->get_port(dst) },
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
 			},
 		},
-		.tm = {
-			.mark = mark,
-			.mask = ~0,
-		},
-	};
-
-	if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = mark,
+		.mask = ~0,
+	);
+	return manage_rule(ipth, "PREROUTING", add, e);
 }
 
 /**
@@ -166,53 +180,53 @@ static bool manage_pre_esp(private_connmark_listener_t *this,
 						   u_int mark, u_int32_t spi,
 						   host_t *dst, host_t *src)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_esp esp;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 tm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.esp)),
-			.next_offset = sizeof(ipt),
-			.ip = {
-				.proto = IPPROTO_ESP,
-			},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_esp));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+		.ip = {
+			.proto = IPPROTO_ESP,
 		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
-					.name = "esp",
-				},
+	);
+	if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+		!host2in(src, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "esp",
 			},
 		},
-		.esp = {
-			.spis = { htonl(spi), htonl(spi) },
-		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-					.name = "MARK",
-					.revision = 2,
-				},
+	);
+	ADD_STRUCT(pos, struct xt_esp,
+		.spis = { htonl(spi), htonl(spi) },
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
 			},
 		},
-		.tm = {
-			.mark = mark,
-			.mask = ~0,
-		},
-	};
-
-	if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = mark,
+		.mask = ~0,
+	);
+	return manage_rule(ipth, "PREROUTING", add, e);
 }
 
 /**
@@ -238,99 +252,115 @@ static bool manage_in(private_connmark_listener_t *this,
 					  u_int mark, u_int32_t spi,
 					  traffic_selector_t *dst, traffic_selector_t *src)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_policy_info p;
-		struct ipt_entry_target t;
-		struct xt_connmark_tginfo1 cm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.p)),
-			.next_offset = sizeof(ipt),
-		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)),
-					.name = "policy",
-				},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_policy_info));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+	);
+	if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+		!ts2in(src, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "policy",
 			},
 		},
-		.p = {
-			.pol = {
-				{
-					.spi = spi,
-					.match.spi = 1,
-				},
+	);
+	ADD_STRUCT(pos, struct xt_policy_info,
+		.pol = {
+			{
+				.spi = spi,
+				.match.spi = 1,
 			},
-			.len = 1,
-			.flags = XT_POLICY_MATCH_IN,
 		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
-					.name = "CONNMARK",
-					.revision = 1,
-				},
+		.len = 1,
+		.flags = XT_POLICY_MATCH_IN,
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "CONNMARK",
+				.revision = 1,
 			},
 		},
-		.cm = {
-			.ctmark = mark,
-			.ctmask = ~0,
-			.nfmask = ~0,
-			.mode = XT_CONNMARK_SET,
-		},
-	};
-
-	if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "INPUT", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_connmark_tginfo1,
+		.ctmark = mark,
+		.ctmask = ~0,
+		.nfmask = ~0,
+		.mode = XT_CONNMARK_SET,
+	);
+	return manage_rule(ipth, "INPUT", add, e);
 }
 
 /**
- * Add outbund rule restoring CONNMARK on matching traffic
+ * Add outbund rule restoring CONNMARK on matching traffic unless the packet
+ * already has a mark set
  */
 static bool manage_out(private_connmark_listener_t *this,
 					   struct iptc_handle *ipth, bool add,
 					   traffic_selector_t *dst, traffic_selector_t *src)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_target t;
-		struct xt_connmark_tginfo1 cm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e)),
-			.next_offset = sizeof(ipt),
-		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
-					.name = "CONNMARK",
-					.revision = 1,
-				},
-			},
-		},
-		.cm = {
-			.ctmask = ~0,
-			.nfmask = ~0,
-			.mode = XT_CONNMARK_RESTORE,
-		},
-	};
-
-	if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_mark_mtinfo1));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+	);
+	if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+		!ts2in(src, &e->ip.src, &e->ip.smsk))
 	{
 		return FALSE;
 	}
-	return manage_rule(ipth, "OUTPUT", add, &ipt.e);
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "mark",
+				.revision = 1,
+			},
+		},
+	);
+	ADD_STRUCT(pos, struct xt_mark_mtinfo1,
+		.mask = ~0,
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "CONNMARK",
+				.revision = 1,
+			},
+		},
+	);
+	ADD_STRUCT(pos, struct xt_connmark_tginfo1,
+		.ctmask = ~0,
+		.nfmask = ~0,
+		.mode = XT_CONNMARK_RESTORE,
+	);
+	return manage_rule(ipth, "OUTPUT", add, e);
 }
 
 /**
diff --git a/src/libcharon/plugins/coupling/Makefile.am b/src/libcharon/plugins/coupling/Makefile.am
index badc7b7b2..62695aabe 100644
--- a/src/libcharon/plugins/coupling/Makefile.am
+++ b/src/libcharon/plugins/coupling/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index dff80c37f..44598c3ea 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/dhcp/Makefile.am b/src/libcharon/plugins/dhcp/Makefile.am
index 3c09db016..9ae68be35 100644
--- a/src/libcharon/plugins/dhcp/Makefile.am
+++ b/src/libcharon/plugins/dhcp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 1e84f04e2..3d39fda29 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index b8c1b4059..0fd1d33fd 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -31,7 +31,6 @@
 #include <threading/condvar.h>
 #include <threading/thread.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
@@ -209,8 +208,7 @@ static int prepare_dhcp(private_dhcp_socket_t *this,
 	else
 	{
 		/* act as relay agent */
-		src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
-													   this->dst, NULL);
+		src = charon->kernel->get_source_addr(charon->kernel, this->dst, NULL);
 		if (src)
 		{
 			memcpy(&dhcp->gateway_address, src->get_address(src).ptr,
diff --git a/src/libcharon/plugins/dnscert/Makefile.am b/src/libcharon/plugins/dnscert/Makefile.am
index 145562522..8181bfc9e 100644
--- a/src/libcharon/plugins/dnscert/Makefile.am
+++ b/src/libcharon/plugins/dnscert/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index ed873b316..04fc31a3a 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/duplicheck/Makefile.am b/src/libcharon/plugins/duplicheck/Makefile.am
index 338a114fe..32b850ccb 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.am
+++ b/src/libcharon/plugins/duplicheck/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 41862cb2a..da4534c21 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -438,7 +440,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/duplicheck/duplicheck.c b/src/libcharon/plugins/duplicheck/duplicheck.c
index 508e8e386..7c4cd5ce1 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck.c
@@ -19,8 +19,10 @@
 #include <stdlib.h>
 #include <stddef.h>
 #include <stdio.h>
+#include <string.h>
 #include <errno.h>
 #include <arpa/inet.h>
+#include <netinet/in.h>
 
 #include "duplicheck_msg.h"
 
diff --git a/src/libcharon/plugins/eap_aka/Makefile.am b/src/libcharon/plugins/eap_aka/Makefile.am
index 75e8eafb2..5d7ab8485 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.am
+++ b/src/libcharon/plugins/eap_aka/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index dacddfb87..b5ffd8c24 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
index ec145a39e..d68bfc4c4 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 3c26b8511..e0ad6fe2e 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.am b/src/libcharon/plugins/eap_dynamic/Makefile.am
index 58b827a78..fd08846a9 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.am
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 402c7cadc..821f6de6c 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.am b/src/libcharon/plugins/eap_gtc/Makefile.am
index c3a12ba3e..a7d1f6275 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.am
+++ b/src/libcharon/plugins/eap_gtc/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 2279b2514..cfd7c4e24 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -430,7 +432,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_identity/Makefile.am b/src/libcharon/plugins/eap_identity/Makefile.am
index 6c5b43f00..4c44962bd 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.am
+++ b/src/libcharon/plugins/eap_identity/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS =  \
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 30d2c88d1..1c544f360 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_md5/Makefile.am b/src/libcharon/plugins/eap_md5/Makefile.am
index 16aa1919b..b27e8cc54 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.am
+++ b/src/libcharon/plugins/eap_md5/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 14616c214..e967262b6 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -430,7 +432,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.am b/src/libcharon/plugins/eap_mschapv2/Makefile.am
index 4276a082d..ded9bbe3f 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.am
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 78dfd29e3..d96343a5c 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_peap/Makefile.am b/src/libcharon/plugins/eap_peap/Makefile.am
index 8960b84bd..ef226169d 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.am
+++ b/src/libcharon/plugins/eap_peap/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls
 
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 2f0d65d6d..0f920fef8 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index bc7a7765d..78cf99184 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 47534372b..881a5b7e3 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
diff --git a/src/libcharon/plugins/eap_sim/Makefile.am b/src/libcharon/plugins/eap_sim/Makefile.am
index f68138579..8d93077e2 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.am
+++ b/src/libcharon/plugins/eap_sim/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 251eeeeba..aaa24bb17 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.am b/src/libcharon/plugins/eap_sim_file/Makefile.am
index c38e55e2c..5c5694c18 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index bffcbc0df..6e61f99de 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
index 22922049d..5e235e7ea 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 78682ce37..e821e3ee2 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -434,7 +436,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
index f40efbd6f..c0d7b914c 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 2a6be5fd9..b883f0abd 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -434,7 +436,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
index 0fb622220..9e55bb188 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index de504d4cd..5417f9639 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.am b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
index b7d6fd43e..f4c478dba 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index de3508a07..c858e467c 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am
index 825beb841..551ecb380 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.am
+++ b/src/libcharon/plugins/eap_tls/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls
 
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index d4219b876..c953d0e9c 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls
 
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am
index 6fc78bc9a..186ae45e2 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.am
+++ b/src/libcharon/plugins/eap_tnc/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 6c34ed098..2f197ed33 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 350001bb4..621caffee 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -328,7 +328,7 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 	tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type,
 						is_server, server, peer, server_ip, peer_ip,
 						(type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0,
-						is_server ? enforce_recommendation : NULL);
+						enforce_recommendation);
 	if (!tnccs)
 	{
 		DBG1(DBG_TNC, "TNCCS protocol '%s' not enabled", protocol);
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am
index 3a7a8cda3..3db20e348 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.am
+++ b/src/libcharon/plugins/eap_ttls/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libradius
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 0babf1766..b563acdda 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libradius
diff --git a/src/libcharon/plugins/error_notify/Makefile.am b/src/libcharon/plugins/error_notify/Makefile.am
index 1c64bd2cc..766bb4c51 100644
--- a/src/libcharon/plugins/error_notify/Makefile.am
+++ b/src/libcharon/plugins/error_notify/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index 0a07aa7a3..03dfe3d60 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -424,6 +424,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -439,7 +441,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/ext_auth/Makefile.am b/src/libcharon/plugins/ext_auth/Makefile.am
index d51ea8881..7028819aa 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.am
+++ b/src/libcharon/plugins/ext_auth/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
index d23e680aa..fce2e8e63 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.in
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/farp/Makefile.am b/src/libcharon/plugins/farp/Makefile.am
index 0d862b0a9..6d96f3abb 100644
--- a/src/libcharon/plugins/farp/Makefile.am
+++ b/src/libcharon/plugins/farp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 318400fc9..2afc5ad76 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/forecast/Makefile.am b/src/libcharon/plugins/forecast/Makefile.am
index ce573135d..77535294e 100644
--- a/src/libcharon/plugins/forecast/Makefile.am
+++ b/src/libcharon/plugins/forecast/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in
index 7b190ca25..4f2a407b4 100644
--- a/src/libcharon/plugins/forecast/Makefile.in
+++ b/src/libcharon/plugins/forecast/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.c b/src/libcharon/plugins/forecast/forecast_forwarder.c
index 07a3d4953..40aaa7f25 100644
--- a/src/libcharon/plugins/forecast/forecast_forwarder.c
+++ b/src/libcharon/plugins/forecast/forecast_forwarder.c
@@ -27,7 +27,6 @@
 #include <ifaddrs.h>
 #include <net/if.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
@@ -428,8 +427,7 @@ METHOD(forecast_forwarder_t, destroy, void,
 		lib->watcher->remove(lib->watcher, this->kernel.pkt);
 		close(this->kernel.pkt);
 	}
-	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
-											 &this->kernel.listener);
+	charon->kernel->remove_listener(charon->kernel, &this->kernel.listener);
 	free(this);
 }
 
@@ -486,8 +484,8 @@ forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener)
 
 	setup_interface(&this->kernel);
 
-	hydra->kernel_interface->add_listener(hydra->kernel_interface,
-										  &this->kernel.listener);
+	charon->kernel->add_listener(charon->kernel,
+										   &this->kernel.listener);
 
 	lib->watcher->add(lib->watcher, this->kernel.pkt, WATCHER_READ,
 					  (watcher_cb_t)receive_casts, this);
diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
index 63a8cb15b..8f7f2600c 100644
--- a/src/libcharon/plugins/forecast/forecast_listener.c
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010-2014 Martin Willi
  * Copyright (C) 2010-2014 revosec AG
  *
@@ -25,6 +28,15 @@
 #include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
+/**
+ * Add a struct at the current position in the buffer
+ */
+#define ADD_STRUCT(pos, st, ...) ({\
+	typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\
+	*(st*)_cur = (st){ __VA_ARGS__ };\
+	(st*)_cur;\
+})
+
 typedef struct private_forecast_listener_t private_forecast_listener_t;
 
 /**
@@ -148,7 +160,10 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 	}
 	else
 	{
-		if (!iptc_delete_entry(chain, e, "", ipth))
+		u_char matchmask[e->next_offset];
+
+		memset(matchmask, 255, sizeof(matchmask));
+		if (!iptc_delete_entry(chain, e, matchmask, ipth))
 		{
 			DBG1(DBG_CFG, "deleting %s rule failed: %s",
 				 chain, iptc_strerror(errno));
@@ -164,60 +179,60 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
 								  entry_t *entry, bool add)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_udp udp;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 tm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.udp)),
-			.next_offset = sizeof(ipt),
-			.ip = {
-				.proto = IPPROTO_UDP,
-			},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_udp));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+		.ip = {
+			.proto = IPPROTO_UDP,
 		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
-					.name = "udp",
-				},
+	);
+	if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) ||
+		!host2in(entry->rhost, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "udp",
 			},
 		},
-		.udp = {
-			.spts = {
-				entry->rhost->get_port(entry->rhost),
-				entry->rhost->get_port(entry->lhost)
-			},
-			.dpts = {
-				entry->lhost->get_port(entry->lhost),
-				entry->lhost->get_port(entry->lhost)
-			},
+	);
+	ADD_STRUCT(pos, struct xt_udp,
+		.spts = {
+			entry->rhost->get_port(entry->rhost),
+			entry->rhost->get_port(entry->lhost)
 		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-					.name = "MARK",
-					.revision = 2,
-				},
-			},
+		.dpts = {
+			entry->lhost->get_port(entry->lhost),
+			entry->lhost->get_port(entry->lhost)
 		},
-		.tm = {
-			.mark = entry->mark,
-			.mask = ~0,
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
+			},
 		},
-	};
-
-	if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = entry->mark,
+		.mask = ~0,
+	);
+	return manage_rule(ipth, "PREROUTING", add, e);
 }
 
 /**
@@ -225,53 +240,53 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
  */
 static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_esp esp;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 tm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.esp)),
-			.next_offset = sizeof(ipt),
-			.ip = {
-				.proto = IPPROTO_ESP,
-			},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_esp));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+		.ip = {
+			.proto = IPPROTO_ESP,
 		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
-					.name = "esp",
-				},
+	);
+	if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) ||
+		!host2in(entry->rhost, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "esp",
 			},
 		},
-		.esp = {
-			.spis = { htonl(entry->spi), htonl(entry->spi) },
-		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-					.name = "MARK",
-					.revision = 2,
-				},
+	);
+	ADD_STRUCT(pos, struct xt_esp,
+		.spis = { htonl(entry->spi), htonl(entry->spi) },
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
 			},
 		},
-		.tm = {
-			.mark = entry->mark,
-			.mask = ~0,
-		},
-	};
-
-	if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = entry->mark,
+		.mask = ~0,
+	);
+	return manage_rule(ipth, "PREROUTING", add, e);
 }
 
 /**
@@ -291,45 +306,52 @@ static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add)
  */
 static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 m;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e)),
-			.next_offset = sizeof(ipt),
-		},
-		.t = {
-			.u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)),
-			.u.user.name = "MARK",
-			.u.user.revision = 2,
-		},
-		.m = {
-			.mark = entry->mark,
-			.mask = ~0,
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry));
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
+			},
 		},
-	};
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = entry->mark,
+		.mask = ~0,
+	);
+
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
 
 	enumerator = array_create_enumerator(entry->rts);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
-		if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk))
+		if (!ts2in(ts, &e->ip.dst, &e->ip.dmsk))
 		{
 			continue;
 		}
-		if (ipt.e.ip.dst.s_addr == 0xffffffff ||
-			ipt.e.ip.dst.s_addr == entry->broadcast ||
-			memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1))
+		if (e->ip.dst.s_addr == 0xffffffff ||
+			e->ip.dst.s_addr == entry->broadcast ||
+			memeq(&e->ip.dst.s_addr, "\xe0", 1))
 		{
 			/* skip broadcast/multicast selectors, they are shared and the mark
 			 * is set by the socket we use for reinjection */
 			continue;
 		}
-		if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) ||
-			!manage_rule(ipth, "OUTPUT", add, &ipt.e))
+		if (!manage_rule(ipth, "PREROUTING", add, e) ||
+			!manage_rule(ipth, "OUTPUT", add, e))
 		{
 			enumerator->destroy(enumerator);
 			return FALSE;
diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am
index 50d342389..d501834d7 100644
--- a/src/libcharon/plugins/ha/Makefile.am
+++ b/src/libcharon/plugins/ha/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index de74f88cc..677c36afe 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index dbb6adc8f..7dafb1693 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -91,6 +91,10 @@ METHOD(listener_t, child_keys, bool,
 	{
 		m->add_attribute(m, HA_ALG_INTEG, alg);
 	}
+	if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL))
+	{
+		m->add_attribute(m, HA_ALG_DH, alg);
+	}
 	if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, &alg, NULL))
 	{
 		m->add_attribute(m, HA_ESN, alg);
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 07ef607c6..ce90f5bfe 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -132,6 +132,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 	ike_sa_t *ike_sa = NULL, *old_sa = NULL;
 	ike_version_t version = IKEV2;
 	u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
+	u_int16_t dh_grp = 0;
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
 	chunk_t secret = chunk_empty, old_skd = chunk_empty;
 	chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
@@ -193,6 +194,9 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 			case HA_ALG_OLD_PRF:
 				old_prf = value.u16;
 				break;
+			case HA_ALG_DH:
+				dh_grp = value.u16;
+				break;
 			default:
 				break;
 		}
@@ -217,6 +221,10 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 		{
 			proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, prf, 0);
 		}
+		if (dh_grp)
+		{
+			proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, dh_grp, 0);
+		}
 		charon->bus->set_sa(charon->bus, ike_sa);
 		dh = ha_diffie_hellman_create(secret, dh_local);
 		if (ike_sa->get_version(ike_sa) == IKEV2)
@@ -647,7 +655,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	u_int32_t inbound_spi = 0, outbound_spi = 0;
 	u_int16_t inbound_cpi = 0, outbound_cpi = 0;
 	u_int8_t mode = MODE_TUNNEL, ipcomp = 0;
-	u_int16_t encr = 0, integ = 0, len = 0;
+	u_int16_t encr = 0, integ = 0, len = 0, dh_grp = 0;
 	u_int16_t esn = NO_EXT_SEQ_NUMBERS;
 	u_int seg_i, seg_o;
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
@@ -697,6 +705,9 @@ static void process_child_add(private_ha_dispatcher_t *this,
 			case HA_ALG_INTEG:
 				integ = value.u16;
 				break;
+			case HA_ALG_DH:
+				dh_grp = value.u16;
+				break;
 			case HA_ESN:
 				esn = value.u16;
 				break;
@@ -747,6 +758,10 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	{
 		proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, len);
 	}
+	if (dh_grp)
+	{
+		proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, dh_grp, 0);
+	}
 	proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0);
 	if (secret.len)
 	{
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 7492dd06e..3ffcaee6b 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -121,6 +121,10 @@ METHOD(listener_t, ike_keys, bool,
 	{
 		m->add_attribute(m, HA_ALG_PRF, alg);
 	}
+	if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL))
+	{
+		m->add_attribute(m, HA_ALG_DH, alg);
+	}
 	m->add_attribute(m, HA_NONCE_I, nonce_i);
 	m->add_attribute(m, HA_NONCE_R, nonce_r);
 	m->add_attribute(m, HA_SECRET, secret);
@@ -310,27 +314,31 @@ METHOD(listener_t, message_hook, bool,
 			sync_vips(this, ike_sa);
 		}
 	}
-	if (!plain && ike_sa->get_version(ike_sa) == IKEV1)
+	if (ike_sa->get_version(ike_sa) == IKEV1)
 	{
 		ha_message_t *m;
 		keymat_v1_t *keymat;
-		u_int32_t mid;
 		chunk_t iv;
 
-		mid = message->get_message_id(message);
-		if (mid == 0)
+		/* we need the last block (or expected next IV) of Phase 1, which gets
+		 * upated after successful en-/decryption depending on direction */
+		if (incoming == plain)
 		{
-			keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
-			if (keymat->get_iv(keymat, mid, &iv))
+			if (message->get_message_id(message) == 0)
 			{
-				m = ha_message_create(HA_IKE_IV);
-				m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
-				m->add_attribute(m, HA_IV, iv);
-				this->socket->push(this->socket, m);
-				this->cache->cache(this->cache, ike_sa, m);
+				keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
+				if (keymat->get_iv(keymat, 0, &iv))
+				{
+					m = ha_message_create(HA_IKE_IV);
+					m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+					m->add_attribute(m, HA_IV, iv);
+					this->socket->push(this->socket, m);
+					this->cache->cache(this->cache, ike_sa, m);
+				}
 			}
 		}
-		if (!incoming && message->get_exchange_type(message) == TRANSACTION)
+		if (!plain && !incoming &&
+			message->get_exchange_type(message) == TRANSACTION)
 		{
 			sync_vips(this, ike_sa);
 		}
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
index 6b00ed83f..b40219ce1 100644
--- a/src/libcharon/plugins/ha/ha_message.c
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -230,6 +230,7 @@ METHOD(ha_message_t, add_attribute, void,
 			break;
 		}
 		/* u_int16_t */
+		case HA_ALG_DH:
 		case HA_ALG_PRF:
 		case HA_ALG_OLD_PRF:
 		case HA_ALG_ENCR:
@@ -450,6 +451,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 			return TRUE;
 		}
 		/** u_int16_t */
+		case HA_ALG_DH:
 		case HA_ALG_PRF:
 		case HA_ALG_OLD_PRF:
 		case HA_ALG_ENCR:
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index 2ccb1fc55..fe1786edf 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -122,6 +122,8 @@ enum ha_message_attribute_t {
 	HA_ALG_ENCR_LEN,
 	/** u_int16_t, integrity protection algorithm */
 	HA_ALG_INTEG,
+	/** u_int16_t, DH group */
+	HA_ALG_DH,
 	/** u_int8_t, IPsec mode, TUNNEL|TRANSPORT|... */
 	HA_IPSEC_MODE,
 	/** u_int8_t, IPComp protocol */
diff --git a/src/libcharon/plugins/ipseckey/Makefile.am b/src/libcharon/plugins/ipseckey/Makefile.am
index aed63c122..b8933008c 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.am
+++ b/src/libcharon/plugins/ipseckey/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index f98e78ffc..0b7a29194 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.am b/src/libcharon/plugins/kernel_iph/Makefile.am
index 56946ae1f..707570195 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.am
+++ b/src/libcharon/plugins/kernel_iph/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index 7a2583d06..de5bfd517 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
index a4be4041e..6a8a96821 100644
--- a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
@@ -24,7 +24,7 @@
 
 #include "kernel_iph_net.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <threading/mutex.h>
 #include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
@@ -130,7 +130,7 @@ static job_requeue_t roam_event(private_kernel_iph_net_t *this)
 	this->roam_address = FALSE;
 	this->mutex->unlock(this->mutex);
 
-	hydra->kernel_interface->roam(hydra->kernel_interface, address);
+	charon->kernel->roam(charon->kernel, address);
 	return JOB_REQUEUE_NONE;
 }
 
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c
index c5475e30b..c16381440 100644
--- a/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c
@@ -17,8 +17,6 @@
 #include "kernel_iph_plugin.h"
 #include "kernel_iph_net.h"
 
-#include <hydra.h>
-
 typedef struct private_kernel_iph_plugin_t private_kernel_iph_plugin_t;
 
 /**
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.am b/src/libcharon/plugins/kernel_libipsec/Makefile.am
index eca2b2325..4757280b4 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.am
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libipsec
 
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 6b6c95688..018a25a62 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libipsec
 
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index d738e6d13..4c8771e96 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -17,7 +17,7 @@
 
 #include <library.h>
 #include <ipsec.h>
-#include <hydra.h>
+#include <daemon.h>
 #include <networking/tun_device.h>
 #include <threading/mutex.h>
 #include <utils/debug.h>
@@ -224,8 +224,7 @@ static inline bool policy_entry_equals(policy_entry_t *a,
  */
 static void expire(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard)
 {
-	hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-									spi, dst, hard);
+	charon->kernel->expire(charon->kernel, protocol, spi, dst, hard);
 }
 
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
@@ -313,16 +312,13 @@ static void add_exclude_route(private_kernel_libipsec_ipsec_t *this,
 	if (!route->exclude)
 	{
 		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
-		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
-												   dst, -1, NULL);
+		gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL);
 		if (gtw)
 		{
 			char *if_name = NULL;
 
-			if (hydra->kernel_interface->get_interface(
-									hydra->kernel_interface, src, &if_name) &&
-				hydra->kernel_interface->add_route(hydra->kernel_interface,
-									dst->get_address(dst),
+			if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
+				charon->kernel->add_route(charon->kernel, dst->get_address(dst),
 									dst->get_family(dst) == AF_INET ? 32 : 128,
 									gtw, src, if_name) == SUCCESS)
 			{
@@ -367,14 +363,12 @@ static void remove_exclude_route(private_kernel_libipsec_ipsec_t *this,
 	dst = route->exclude->dst;
 	DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
 		 dst, route->exclude->src);
-	if (hydra->kernel_interface->get_interface(
-									hydra->kernel_interface,
-									route->exclude->src, &if_name) &&
-		hydra->kernel_interface->del_route(hydra->kernel_interface,
-									dst->get_address(dst),
-									dst->get_family(dst) == AF_INET ? 32 : 128,
-									route->exclude->gtw, route->exclude->src,
-									if_name) != SUCCESS)
+	if (charon->kernel->get_interface(charon->kernel, route->exclude->src,
+									  &if_name) &&
+		charon->kernel->del_route(charon->kernel, dst->get_address(dst),
+								  dst->get_family(dst) == AF_INET ? 32 : 128,
+								  route->exclude->gtw, route->exclude->src,
+								  if_name) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
 	}
@@ -402,8 +396,8 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 		return TRUE;
 	}
 
-	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-									src_ts, &src_ip, &is_virtual) != SUCCESS)
+	if (charon->kernel->get_address_by_ts(charon->kernel, src_ts, &src_ip,
+										  &is_virtual) != SUCCESS)
 	{
 		traffic_selector_t *multicast, *broadcast = NULL;
 		bool ignore = FALSE;
@@ -444,8 +438,7 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 	);
 #ifndef __linux__
 	/* on Linux we cant't install a gateway */
-	route->gateway = hydra->kernel_interface->get_nexthop(
-										hydra->kernel_interface, dst, -1, src);
+	route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1, src);
 #endif
 
 	if (policy->route)
@@ -459,9 +452,9 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 			return TRUE;
 		}
 		/* uninstall previously installed route */
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-									old->dst_net, old->prefixlen, old->gateway,
-									old->src_ip, old->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, old->dst_net,
+									  old->prefixlen, old->gateway,
+									  old->src_ip, old->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with policy "
 				 "%R === %R %N", src_ts, dst_ts, policy_dir_names,
@@ -490,9 +483,9 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 	DBG2(DBG_KNL, "installing route: %R src %H dev %s",
 		 dst_ts, route->src_ip, route->if_name);
 
-	switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
-							route->dst_net, route->prefixlen, route->gateway,
-							route->src_ip, route->if_name))
+	switch (charon->kernel->add_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name))
 	{
 		case ALREADY_DONE:
 			/* route exists, do not uninstall */
@@ -571,8 +564,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	policy_entry_t *policy, *found = NULL;
 	status_t status;
 
-	status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts,
-										 direction, sa->reqid, mark, priority);
+	status = ipsec->policies->del_policy(ipsec->policies, src, dst, src_ts,
+								dst_ts, direction, type, sa, mark, priority);
 
 	policy = create_policy_entry(src_ts, dst_ts, direction);
 
@@ -598,9 +591,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	{
 		route_entry_t *route = policy->route;
 
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway, route->src_ip,
-				route->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
@@ -629,9 +622,9 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
 		{
 			route_entry_t *route = pol->route;
 
-			hydra->kernel_interface->del_route(hydra->kernel_interface,
-					route->dst_net, route->prefixlen, route->gateway,
-					route->src_ip, route->if_name);
+			charon->kernel->del_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name);
 			remove_exclude_route(this, route);
 		}
 		policy_entry_destroy(pol);
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
index 830954e11..66141ad56 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
@@ -19,7 +19,6 @@
 #include "kernel_libipsec_router.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <ipsec.h>
 #include <collections/hashtable.h>
 #include <networking/tun_device.h>
@@ -298,8 +297,7 @@ METHOD(kernel_libipsec_router_t, destroy, void,
 										 (ipsec_outbound_cb_t)send_esp);
 	ipsec->processor->unregister_inbound(ipsec->processor,
 										 (ipsec_inbound_cb_t)deliver_plain);
-	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
-											 &this->public.listener);
+	charon->kernel->remove_listener(charon->kernel, &this->public.listener);
 	this->lock->destroy(this->lock);
 	this->tuns->destroy(this->tuns);
 	close(this->notify[0]);
@@ -351,8 +349,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create()
 								  (hashtable_equals_t)tun_entry_equals, 4);
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 
-	hydra->kernel_interface->add_listener(hydra->kernel_interface,
-										  &this->public.listener);
+	charon->kernel->add_listener(charon->kernel, &this->public.listener);
 	ipsec->processor->register_outbound(ipsec->processor, send_esp, NULL);
 	ipsec->processor->register_inbound(ipsec->processor,
 									(ipsec_inbound_cb_t)deliver_plain, this);
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am
index cc8855406..973e2c2f4 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.am
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.am
@@ -1,7 +1,7 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DROUTING_TABLE=${routing_table} \
 	-DROUTING_TABLE_PRIO=${routing_table_prio}
 
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
index 962fe1ba1..55dcabf6f 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -80,7 +80,7 @@ build_triplet = @build@
 host_triplet = @host@
 TESTS = tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
-subdir = src/libhydra/plugins/kernel_netlink
+subdir = src/libcharon/plugins/kernel_netlink
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -454,6 +454,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -470,7 +472,7 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DROUTING_TABLE=${routing_table} \
 	-DROUTING_TABLE_PRIO=${routing_table_prio}
 
@@ -515,9 +517,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8c506d9f4..6d9d63a98 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2008 Andreas Steffen
+ * Copyright (C) 2008-2016 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -35,7 +35,7 @@
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_shared.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 #include <collections/array.h>
@@ -262,8 +262,8 @@ static char* lookup_algorithm(transform_type_t type, int ikev2)
 			return list[i].name;
 		}
 	}
-	if (hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface,
-												  ikev2, type, NULL, &name))
+	if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL,
+										 &name))
 	{
 		return name;
 	}
@@ -702,15 +702,13 @@ static void ts2subnet(traffic_selector_t* ts,
 static void ts2ports(traffic_selector_t* ts,
 					 u_int16_t *port, u_int16_t *mask)
 {
-	/* Linux does not seem to accept complex portmasks. Only
-	 * any or a specific port is allowed. We set to any, if we have
-	 * a port range, or to a specific, if we have one port only.
-	 */
-	u_int16_t from, to;
+	uint16_t from, to, bitmask;
+	int bit;
 
 	from = ts->get_from_port(ts);
 	to = ts->get_to_port(ts);
 
+	/* Quick check for a single port */
 	if (from == to)
 	{
 		*port = htons(from);
@@ -718,9 +716,23 @@ static void ts2ports(traffic_selector_t* ts,
 	}
 	else
 	{
-		*port = 0;
+		/* Compute the port mask for port ranges */
 		*mask = 0;
+
+		for (bit = 15; bit >= 0; bit--)
+		{
+			bitmask = 1 << bit;
+
+			if ((bitmask & from) != (bitmask & to))
+			{
+				*port = htons(from & *mask);
+				*mask = htons(*mask);
+				return;
+			}
+			*mask |= bitmask;
+		}
 	}
+	return;
 }
 
 /**
@@ -856,8 +868,7 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this,
 	src_ts = selector2ts(&acquire->sel, TRUE);
 	dst_ts = selector2ts(&acquire->sel, FALSE);
 
-	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
-									 dst_ts);
+	charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
 }
 
 /**
@@ -882,8 +893,8 @@ static void process_expire(private_kernel_netlink_ipsec_t *this,
 		dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
 		if (dst)
 		{
-			hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-											spi, dst, expire->hard != 0);
+			charon->kernel->expire(charon->kernel, protocol, spi, dst,
+								   expire->hard != 0);
 			dst->destroy(dst);
 		}
 	}
@@ -951,8 +962,8 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this,
 
 	if (src_ts && dst_ts && local && remote)
 	{
-		hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
-										 src_ts, dst_ts, dir, local, remote);
+		charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
+								local, remote);
 	}
 	else
 	{
@@ -988,8 +999,8 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 							mapping->new_sport);
 			if (new)
 			{
-				hydra->kernel_interface->mapping(hydra->kernel_interface,
-												 IPPROTO_ESP, spi, dst, new);
+				charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst,
+										new);
 				new->destroy(new);
 			}
 			dst->destroy(dst);
@@ -2202,22 +2213,21 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			.prefixlen = policy->sel.prefixlen_s,
 		);
 
-		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-				fwd->dst_ts, &route->src_ip, NULL) == SUCCESS)
+		if (charon->kernel->get_address_by_ts(charon->kernel, fwd->dst_ts,
+											  &route->src_ip, NULL) == SUCCESS)
 		{
 			/* get the nexthop to src (src as we are in POLICY_FWD) */
 			if (!ipsec->src->is_anyaddr(ipsec->src))
 			{
-				route->gateway = hydra->kernel_interface->get_nexthop(
-											hydra->kernel_interface, ipsec->src,
-											-1, ipsec->dst);
+				route->gateway = charon->kernel->get_nexthop(charon->kernel,
+													ipsec->src, -1, ipsec->dst);
 			}
 			else
 			{	/* for shunt policies */
 				iface = xfrm2host(policy->sel.family, &policy->sel.saddr, 0);
-				route->gateway = hydra->kernel_interface->get_nexthop(
-										hydra->kernel_interface, iface,
-										policy->sel.prefixlen_s, route->src_ip);
+				route->gateway = charon->kernel->get_nexthop(charon->kernel,
+												iface, policy->sel.prefixlen_s,
+												route->src_ip);
 				iface->destroy(iface);
 			}
 			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
@@ -2232,8 +2242,8 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 				iface = route->src_ip;
 			}
 			/* install route via outgoing interface */
-			if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
-														iface, &route->if_name))
+			if (!charon->kernel->get_interface(charon->kernel, iface,
+											   &route->if_name))
 			{
 				this->mutex->unlock(this->mutex);
 				route_entry_destroy(route);
@@ -2250,9 +2260,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 					return SUCCESS;
 				}
 				/* uninstall previously installed route */
-				if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-						old->dst_net, old->prefixlen, old->gateway,
-						old->src_ip, old->if_name) != SUCCESS)
+				if (charon->kernel->del_route(charon->kernel, old->dst_net,
+										old->prefixlen, old->gateway,
+										old->src_ip, old->if_name) != SUCCESS)
 				{
 					DBG1(DBG_KNL, "error uninstalling route installed with "
 								  "policy %R === %R %N", fwd->src_ts,
@@ -2265,10 +2275,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 
 			DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
 				 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
-			switch (hydra->kernel_interface->add_route(
-								hydra->kernel_interface, route->dst_net,
-								route->prefixlen, route->gateway,
-								route->src_ip, route->if_name))
+			switch (charon->kernel->add_route(charon->kernel, route->dst_net,
+											  route->prefixlen, route->gateway,
+											  route->src_ip, route->if_name))
 			{
 				default:
 					DBG1(DBG_KNL, "unable to install source route for %H",
@@ -2579,9 +2588,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	if (current->route)
 	{
 		route_entry_t *route = current->route;
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
index 3a45cce06..3a45cce06 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
index 4e5e02d07..f4394a14f 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -51,7 +51,7 @@
 #include "kernel_netlink_net.h"
 #include "kernel_netlink_shared.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
@@ -893,7 +893,7 @@ static job_requeue_t roam_event(private_kernel_netlink_net_t *this)
 	address = this->roam_address;
 	this->roam_address = FALSE;
 	this->roam_lock->unlock(this->roam_lock);
-	hydra->kernel_interface->roam(hydra->kernel_interface, address);
+	charon->kernel->roam(charon->kernel, address);
 	return JOB_REQUEUE_NONE;
 }
 
@@ -1004,8 +1004,8 @@ static void process_link(private_kernel_netlink_net_t *this,
 				INIT(entry,
 					.ifindex = msg->ifi_index,
 					.addrs = linked_list_create(),
-					.usable = hydra->kernel_interface->is_interface_usable(
-												hydra->kernel_interface, name),
+					.usable = charon->kernel->is_interface_usable(
+														charon->kernel, name),
 				);
 				this->ifaces->insert_last(this->ifaces, entry);
 			}
@@ -1710,9 +1710,10 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 		chunk = candidate->get_address(candidate);
 		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
 	}
+	/* we use this below to match against the routes */
+	chunk = dest->get_address(dest);
 	if (!match_net)
 	{
-		chunk = dest->get_address(dest);
 		netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
 	}
 
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
index ff9831d3c..ff9831d3c 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
index 8d5a0d5e8..8bafc3c55 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -19,8 +19,6 @@
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_net.h"
 
-#include <hydra.h>
-
 typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
 
 /**
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
index a795486ca..74c9ae24f 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_netlink kernel_netlink
- * @ingroup hplugins
+ * @ingroup cplugins
  *
  * @defgroup kernel_netlink_plugin kernel_netlink_plugin
  * @{ @ingroup kernel_netlink
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
index f7ce992a3..f7ce992a3 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
index 66682907d..b034326d7 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -21,14 +21,22 @@
 #include <linux/rtnetlink.h>
 
 /**
+ * Default buffer size.
+ *
+ * 1024 byte is currently sufficient for all operations.
+ */
+#ifndef KERNEL_NETLINK_BUFSIZE
+#define KERNEL_NETLINK_BUFSIZE 1024
+#endif
+
+/**
  * General purpose netlink buffer.
  *
- * 1024 byte is currently sufficient for all operations. Some platform
- * require an enforced aligment to four bytes (e.g. ARM).
+ * Some platforms require an enforced aligment to four bytes (e.g. ARM).
  */
 typedef union {
 	struct nlmsghdr hdr;
-	u_char bytes[1024];
+	u_char bytes[KERNEL_NETLINK_BUFSIZE];
 } netlink_buf_t __attribute__((aligned(RTA_ALIGNTO)));
 
 typedef struct netlink_socket_t netlink_socket_t;
diff --git a/src/libhydra/plugins/kernel_netlink/suites/test_socket.c b/src/libcharon/plugins/kernel_netlink/suites/test_socket.c
index 3e8facd0a..3e8facd0a 100644
--- a/src/libhydra/plugins/kernel_netlink/suites/test_socket.c
+++ b/src/libcharon/plugins/kernel_netlink/suites/test_socket.c
diff --git a/src/libhydra/plugins/kernel_netlink/tests.c b/src/libcharon/plugins/kernel_netlink/tests.c
index 52985b438..a1799ea70 100644
--- a/src/libhydra/plugins/kernel_netlink/tests.c
+++ b/src/libcharon/plugins/kernel_netlink/tests.c
@@ -15,8 +15,6 @@
 
 #include <test_runner.h>
 
-#include <hydra.h>
-
 /* declare test suite constructors */
 #define TEST_SUITE(x) test_suite_t* x();
 #include "tests.h"
diff --git a/src/libhydra/plugins/kernel_netlink/tests.h b/src/libcharon/plugins/kernel_netlink/tests.h
index 2b6715a78..2b6715a78 100644
--- a/src/libhydra/plugins/kernel_netlink/tests.h
+++ b/src/libcharon/plugins/kernel_netlink/tests.h
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.am b/src/libcharon/plugins/kernel_pfkey/Makefile.am
index f645528d9..8fdca93a5 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.am
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.am
@@ -1,7 +1,7 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
index 177d2f23f..f2876a272 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libhydra/plugins/kernel_pfkey
+subdir = src/libcharon/plugins/kernel_pfkey
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,7 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
@@ -457,9 +459,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index a2fccd1d3..d505f1c33 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -78,7 +78,7 @@
 
 #include "kernel_pfkey_ipsec.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <networking/host.h>
 #include <collections/linked_list.h>
@@ -922,8 +922,7 @@ static int lookup_algorithm(transform_type_t type, int ikev2)
 		}
 		list++;
 	}
-	hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, ikev2,
-											  type, &alg, NULL);
+	charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, &alg, NULL);
 	return alg;
 }
 
@@ -1283,8 +1282,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
 	src_ts = sadb_address2ts(response.src);
 	dst_ts = sadb_address2ts(response.dst);
 
-	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
-									 dst_ts);
+	charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
 }
 
 /**
@@ -1316,8 +1314,7 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this,
 		dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
 		if (dst)
 		{
-			hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-											spi, dst, hard);
+			charon->kernel->expire(charon->kernel, protocol, spi, dst, hard);
 			dst->destroy(dst);
 		}
 	}
@@ -1366,8 +1363,8 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this,
 
 	if (src_ts && dst_ts && local && remote)
 	{
-		hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
-										 src_ts, dst_ts, dir, local, remote);
+		charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
+								local, remote);
 	}
 	else
 	{
@@ -1437,8 +1434,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 		new = host_create_from_sockaddr(sa);
 		if (new)
 		{
-			hydra->kernel_interface->mapping(hydra->kernel_interface,
-											 IPPROTO_ESP, spi, dst, new);
+			charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst, new);
 			new->destroy(new);
 		}
 		dst->destroy(dst);
@@ -2142,15 +2138,13 @@ static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
 	if (!route->exclude)
 	{
 		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
-		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
-												   dst, -1, NULL);
+		gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL);
 		if (gtw)
 		{
 			char *if_name = NULL;
 
-			if (hydra->kernel_interface->get_interface(
-									hydra->kernel_interface, src, &if_name) &&
-				hydra->kernel_interface->add_route(hydra->kernel_interface,
+			if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
+				charon->kernel->add_route(charon->kernel,
 									dst->get_address(dst),
 									dst->get_family(dst) == AF_INET ? 32 : 128,
 									gtw, src, if_name) == SUCCESS)
@@ -2213,10 +2207,10 @@ static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this,
 			dst = route->exclude->dst;
 			DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
 				 dst, route->exclude->src);
-			if (hydra->kernel_interface->get_interface(
-									hydra->kernel_interface,
+			if (charon->kernel->get_interface(
+									charon->kernel,
 									route->exclude->src, &if_name) &&
-				hydra->kernel_interface->del_route(hydra->kernel_interface,
+				charon->kernel->del_route(charon->kernel,
 									dst->get_address(dst),
 									dst->get_family(dst) == AF_INET ? 32 : 128,
 									route->exclude->gtw, route->exclude->src,
@@ -2241,8 +2235,8 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	host_t *host, *src, *dst;
 	bool is_virtual;
 
-	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-									in->dst_ts, &host, &is_virtual) != SUCCESS)
+	if (charon->kernel->get_address_by_ts(charon->kernel, in->dst_ts, &host,
+										  &is_virtual) != SUCCESS)
 	{
 		return FALSE;
 	}
@@ -2259,8 +2253,8 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 
 	if (!dst->is_anyaddr(dst))
 	{
-		route->gateway = hydra->kernel_interface->get_nexthop(
-									hydra->kernel_interface, dst, -1, src);
+		route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1,
+													 src);
 
 		/* if the IP is virtual, we install the route over the interface it has
 		 * been installed on. Otherwise we use the interface we use for IKE, as
@@ -2272,17 +2266,16 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	}
 	else
 	{	/* for shunt policies */
-		route->gateway = hydra->kernel_interface->get_nexthop(
-									hydra->kernel_interface, policy->src.net,
-									policy->src.mask, route->src_ip);
+		route->gateway = charon->kernel->get_nexthop(charon->kernel,
+											policy->src.net, policy->src.mask,
+											route->src_ip);
 
 		/* we don't have a source address, use the address we found */
 		src = route->src_ip;
 	}
 
 	/* get interface for route, using source address */
-	if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												src, &route->if_name))
+	if (!charon->kernel->get_interface(charon->kernel, src, &route->if_name))
 	{
 		route_entry_destroy(route);
 		return FALSE;
@@ -2298,9 +2291,9 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 			return TRUE;
 		}
 		/* uninstall previously installed route */
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-									old->dst_net, old->prefixlen, old->gateway,
-									old->src_ip, old->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, old->dst_net,
+									  old->prefixlen, old->gateway,
+									  old->src_ip, old->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with policy "
 				 "%R === %R %N", in->src_ts, in->dst_ts,
@@ -2311,8 +2304,7 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	}
 
 	/* if remote traffic selector covers the IKE peer, add an exclude route */
-	if (hydra->kernel_interface->get_features(
-					hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
+	if (charon->kernel->get_features(charon->kernel) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
 	{
 		if (in->src_ts->is_host(in->src_ts, dst))
 		{
@@ -2331,9 +2323,9 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
 		 in->src_ts, route->gateway, route->src_ip, route->if_name);
 
-	switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
-							route->dst_net, route->prefixlen, route->gateway,
-							route->src_ip, route->if_name))
+	switch (charon->kernel->add_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name))
 	{
 		case ALREADY_DONE:
 			/* route exists, do not uninstall */
@@ -2813,9 +2805,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	if (policy->route)
 	{
 		route_entry_t *route = policy->route;
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
index 649f93733..649f93733 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 61d576547..d49fe2422 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -18,8 +18,6 @@
 
 #include "kernel_pfkey_ipsec.h"
 
-#include <hydra.h>
-
 typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
 
 /**
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
index 51db4d8d3..ecccc6303 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_pfkey kernel_pfkey
- * @ingroup hplugins
+ * @ingroup cplugins
  *
  * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
  * @{ @ingroup kernel_pfkey
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.am b/src/libcharon/plugins/kernel_pfroute/Makefile.am
index 5129c02f6..51047e38a 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.am
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.am
@@ -1,7 +1,7 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
index 9f676d21d..77d83cbca 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libhydra/plugins/kernel_pfroute
+subdir = src/libcharon/plugins/kernel_pfroute
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,7 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
@@ -457,9 +459,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
index df80c29b8..4eebdfdad 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -24,7 +24,7 @@
 
 #include "kernel_pfroute_net.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <networking/host.h>
 #include <networking/tun_device.h>
@@ -555,7 +555,7 @@ static job_requeue_t roam_event(private_kernel_pfroute_net_t *this)
 	address = this->roam_address;
 	this->roam_address = FALSE;
 	this->roam_lock->unlock(this->roam_lock);
-	hydra->kernel_interface->roam(hydra->kernel_interface, address);
+	charon->kernel->roam(charon->kernel, address);
 	return JOB_REQUEUE_NONE;
 }
 
@@ -862,8 +862,8 @@ static void process_link(private_kernel_pfroute_net_t *this,
 		if (if_indextoname(iface->ifindex, iface->ifname))
 		{
 			DBG1(DBG_KNL, "interface %s appeared", iface->ifname);
-			iface->usable = hydra->kernel_interface->is_interface_usable(
-										hydra->kernel_interface, iface->ifname);
+			iface->usable = charon->kernel->is_interface_usable(charon->kernel,
+																iface->ifname);
 			repopulate_iface(this, iface);
 			this->ifaces->insert_last(this->ifaces, iface);
 			if (iface->usable)
@@ -1266,7 +1266,7 @@ METHOD(kernel_net_t, add_ip, status_t,
 	/* lets do this while holding the lock, thus preventing another thread
 	 * from deleting the TUN device concurrently, hopefully listeners are quick
 	 * and cause no deadlocks */
-	hydra->kernel_interface->tun(hydra->kernel_interface, tun, TRUE);
+	charon->kernel->tun(charon->kernel, tun, TRUE);
 	this->lock->unlock(this->lock);
 
 	return SUCCESS;
@@ -1294,8 +1294,7 @@ METHOD(kernel_net_t, del_ip, status_t,
 		if (addr && addr->ip_equals(addr, vip))
 		{
 			this->tuns->remove_at(this->tuns, enumerator);
-			hydra->kernel_interface->tun(hydra->kernel_interface, tun,
-										 FALSE);
+			charon->kernel->tun(charon->kernel, tun, FALSE);
 			tun->destroy(tun);
 			found = TRUE;
 			break;
@@ -1738,8 +1737,8 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 						.ifindex = if_nametoindex(ifa->ifa_name),
 						.flags = ifa->ifa_flags,
 						.addrs = linked_list_create(),
-						.usable = hydra->kernel_interface->is_interface_usable(
-										hydra->kernel_interface, ifa->ifa_name),
+						.usable = charon->kernel->is_interface_usable(
+												charon->kernel, ifa->ifa_name),
 					);
 					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
 					this->ifaces->insert_last(this->ifaces, iface);
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
index 10c3c9eb7..10c3c9eb7 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
index 09068b33e..acd834ba3 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -18,8 +18,6 @@
 
 #include "kernel_pfroute_net.h"
 
-#include <hydra.h>
-
 typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
 
 /**
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
index b8ee31a1d..50642a572 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_pfroute kernel_pfroute
- * @ingroup hplugins
+ * @ingroup cplugins
  *
  * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
  * @{ @ingroup kernel_pfroute
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.am b/src/libcharon/plugins/kernel_wfp/Makefile.am
index 85e5089a3..737a79b6c 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.am
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index efb214b88..cfe643f26 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -424,6 +424,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -439,7 +441,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index 95f79f168..e1c429885 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -20,7 +20,6 @@
 #include "kernel_wfp_ipsec.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <threading/mutex.h>
 #include <collections/array.h>
 #include <collections/hashtable.h>
@@ -1396,10 +1395,9 @@ static bool uninstall_route(private_kernel_wfp_ipsec_t *this,
 	{
 		if (--route->refs == 0)
 		{
-			if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-													   src, &name))
+			if (charon->kernel->get_interface(charon->kernel, src, &name))
 			{
-				res = hydra->kernel_interface->del_route(hydra->kernel_interface,
+				res = charon->kernel->del_route(charon->kernel,
 						dst->get_address(dst), mask, gtw, src, name) == SUCCESS;
 				free(name);
 			}
@@ -1442,10 +1440,9 @@ static bool install_route(private_kernel_wfp_ipsec_t *this,
 	}
 	else
 	{
-		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												   src, &name))
+		if (charon->kernel->get_interface(charon->kernel, src, &name))
 		{
-			if (hydra->kernel_interface->add_route(hydra->kernel_interface,
+			if (charon->kernel->add_route(charon->kernel,
 						dst->get_address(dst), mask, gtw, src, name) == SUCCESS)
 			{
 				INIT(route,
@@ -1486,14 +1483,13 @@ static bool manage_route(private_kernel_wfp_ipsec_t *this,
 	{
 		return FALSE;
 	}
-	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-												src_ts, &src, NULL) != SUCCESS)
+	if (charon->kernel->get_address_by_ts(charon->kernel, src_ts, &src,
+										  NULL) != SUCCESS)
 	{
 		dst->destroy(dst);
 		return FALSE;
 	}
-	gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
-											   remote, -1, local);
+	gtw = charon->kernel->get_nexthop(charon->kernel, remote, -1, local);
 	if (add)
 	{
 		done = install_route(this, dst, mask, src, gtw);
@@ -1650,8 +1646,7 @@ static void acquire(private_kernel_wfp_ipsec_t *this, UINT64 filter_id,
 	{
 		src = src ? src->clone(src) : NULL;
 		dst = dst ? dst->clone(dst) : NULL;
-		hydra->kernel_interface->acquire(hydra->kernel_interface, reqid,
-										 src, dst);
+		charon->kernel->acquire(charon->kernel, reqid, src, dst);
 	}
 }
 
@@ -2069,8 +2064,8 @@ static job_requeue_t expire_job(expire_data_t *data)
 
 	if (entry)
 	{
-		hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-										data->spi, data->dst, data->hard);
+		charon->kernel->expire(charon->kernel, protocol, data->spi, data->dst,
+							   data->hard);
 	}
 
 	return JOB_REQUEUE_NONE;
diff --git a/src/libcharon/plugins/led/Makefile.am b/src/libcharon/plugins/led/Makefile.am
index 18d6af399..9868f9efa 100644
--- a/src/libcharon/plugins/led/Makefile.am
+++ b/src/libcharon/plugins/led/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 7942868f6..63bbf1975 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -428,7 +430,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/load_tester/Makefile.am b/src/libcharon/plugins/load_tester/Makefile.am
index 31e1b5c6f..af3adb257 100644
--- a/src/libcharon/plugins/load_tester/Makefile.am
+++ b/src/libcharon/plugins/load_tester/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 52dbec53f..14fcd6f4c 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -426,6 +426,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -441,7 +443,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 8a500635c..8f6abde0c 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -18,7 +18,6 @@
 #include <netdb.h>
 
 #include <daemon.h>
-#include <hydra.h>
 #include <attributes/mem_pool.h>
 #include <collections/hashtable.h>
 #include <threading/mutex.h>
@@ -656,8 +655,8 @@ static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
 		id->destroy(id);
 		return NULL;
 	}
-	if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
-										found, this->prefix, iface) != SUCCESS)
+	if (charon->kernel->add_ip(charon->kernel, found, this->prefix,
+							   iface) != SUCCESS)
 	{
 		DBG1(DBG_CFG, "installing load-tester IP %H on %s failed", found, iface);
 		found->destroy(found);
@@ -852,8 +851,8 @@ METHOD(load_tester_config_t, delete_ip, void,
 		{
 			if (pool->release_address(pool, entry->host, entry->id))
 			{
-				hydra->kernel_interface->del_ip(hydra->kernel_interface,
-											entry->host, this->prefix, FALSE);
+				charon->kernel->del_ip(charon->kernel, entry->host,
+									   this->prefix, FALSE);
 				break;
 			}
 		}
@@ -882,8 +881,8 @@ static void cleanup_leases(private_load_tester_config_t *this)
 		{
 			if (online)
 			{
-				hydra->kernel_interface->del_ip(hydra->kernel_interface,
-												addr, this->prefix, FALSE);
+				charon->kernel->del_ip(charon->kernel, addr, this->prefix,
+									   FALSE);
 				entry = this->leases->remove(this->leases, addr);
 				if (entry)
 				{
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index c7380b974..6cf3a909c 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -23,7 +23,6 @@
 
 #include <unistd.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/condvar.h>
@@ -240,16 +239,24 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+		PLUGIN_CALLBACK(kernel_ipsec_register, load_tester_ipsec_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
 	};
+	int count = countof(f);
+
 	*features = f;
-	return countof(f);
+
+	if (!lib->settings->get_bool(lib->settings,
+			"%s.plugins.load-tester.fake_kernel", FALSE, lib->ns))
+	{
+		count -= 2;
+	}
+	return count;
 }
 
 METHOD(plugin_t, destroy, void,
 	private_load_tester_plugin_t *this)
 {
-	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
-						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	this->mutex->destroy(this->mutex);
 	this->condvar->destroy(this->condvar);
 	free(this);
@@ -289,12 +296,5 @@ plugin_t *load_tester_plugin_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
 	);
-
-	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.load-tester.fake_kernel", FALSE, lib->ns))
-	{
-		hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
-						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
-	}
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/lookip/Makefile.am b/src/libcharon/plugins/lookip/Makefile.am
index 223654ea9..623275b21 100644
--- a/src/libcharon/plugins/lookip/Makefile.am
+++ b/src/libcharon/plugins/lookip/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 264c58ff5..9b56d94fe 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -422,6 +422,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -437,7 +439,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am
index fe5c963fd..02c283f5b 100644
--- a/src/libcharon/plugins/maemo/Makefile.am
+++ b/src/libcharon/plugins/maemo/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 76c9012b2..5cc654967 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/medcli/Makefile.am b/src/libcharon/plugins/medcli/Makefile.am
index cfa825980..0408c8963 100644
--- a/src/libcharon/plugins/medcli/Makefile.am
+++ b/src/libcharon/plugins/medcli/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 35740c369..32c428487 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/medsrv/Makefile.am b/src/libcharon/plugins/medsrv/Makefile.am
index f21220260..1d1cb4465 100644
--- a/src/libcharon/plugins/medsrv/Makefile.am
+++ b/src/libcharon/plugins/medsrv/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 8fe160ef3..de0217a80 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/osx_attr/Makefile.am b/src/libcharon/plugins/osx_attr/Makefile.am
index aa1d46290..908aa8806 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.am
+++ b/src/libcharon/plugins/osx_attr/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index 9a5e438e1..6a1a81f08 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/p_cscf/Makefile.am b/src/libcharon/plugins/p_cscf/Makefile.am
new file mode 100644
index 000000000..1e00a56a8
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/Makefile.am
@@ -0,0 +1,19 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-p-cscf.la
+else
+plugin_LTLIBRARIES = libstrongswan-p-cscf.la
+endif
+
+libstrongswan_p_cscf_la_SOURCES = \
+	p_cscf_plugin.c p_cscf_plugin.h \
+	p_cscf_handler.c p_cscf_handler.h
+
+libstrongswan_p_cscf_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/tests/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in
index 1fa889d67..7f78db85a 100644
--- a/src/libhydra/tests/Makefile.in
+++ b/src/libcharon/plugins/p_cscf/Makefile.in
@@ -13,6 +13,7 @@
 # PARTICULAR PURPOSE.
 
 @SET_MAKE@
+
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -77,9 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-TESTS = hydra_tests$(EXEEXT)
-check_PROGRAMS = $(am__EXEEXT_1)
-subdir = src/libhydra/tests
+subdir = src/libcharon/plugins/p_cscf
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -99,19 +98,51 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__EXEEXT_1 = hydra_tests$(EXEEXT)
-am_hydra_tests_OBJECTS = hydra_tests-hydra_tests.$(OBJEXT)
-hydra_tests_OBJECTS = $(am_hydra_tests_OBJECTS)
-hydra_tests_DEPENDENCIES = $(top_builddir)/src/libhydra/libhydra.la \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libstrongswan/tests/libtest.la
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_p_cscf_la_LIBADD =
+am_libstrongswan_p_cscf_la_OBJECTS = p_cscf_plugin.lo \
+	p_cscf_handler.lo
+libstrongswan_p_cscf_la_OBJECTS =  \
+	$(am_libstrongswan_p_cscf_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-hydra_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(hydra_tests_CFLAGS) \
-	$(CFLAGS) $(hydra_tests_LDFLAGS) $(LDFLAGS) -o $@
+libstrongswan_p_cscf_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_p_cscf_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_p_cscf_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_p_cscf_la_rpath =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -146,8 +177,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(hydra_tests_SOURCES)
-DIST_SOURCES = $(hydra_tests_SOURCES)
+SOURCES = $(libstrongswan_p_cscf_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_p_cscf_la_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -172,28 +203,6 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-am__tty_colors_dummy = \
-  mgn= red= grn= lgn= blu= brg= std=; \
-  am__color_tests=no
-am__tty_colors = { \
-  $(am__tty_colors_dummy); \
-  if test "X$(AM_COLOR_TESTS)" = Xno; then \
-    am__color_tests=no; \
-  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
-    am__color_tests=yes; \
-  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
-    am__color_tests=yes; \
-  fi; \
-  if test $$am__color_tests = yes; then \
-    red=''; \
-    grn=''; \
-    lgn=''; \
-    blu=''; \
-    mgn=''; \
-    brg=''; \
-    std=''; \
-  fi; \
-}
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -407,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -420,21 +431,21 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-hydra_tests_SOURCES = \
-  hydra_tests.h hydra_tests.c
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-hydra_tests_CFLAGS = \
-  -I$(top_srcdir)/src/libhydra \
-  -I$(top_srcdir)/src/libstrongswan \
-  -I$(top_srcdir)/src/libstrongswan/tests \
-  @COVERAGE_CFLAGS@
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
 
-hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@
-hydra_tests_LDADD = \
-  $(top_builddir)/src/libhydra/libhydra.la \
-  $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(top_builddir)/src/libstrongswan/tests/libtest.la
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-p-cscf.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-p-cscf.la
+libstrongswan_p_cscf_la_SOURCES = \
+	p_cscf_plugin.c p_cscf_plugin.h \
+	p_cscf_handler.c p_cscf_handler.h
 
+libstrongswan_p_cscf_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -448,9 +459,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/tests/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/p_cscf/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/tests/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/p_cscf/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -470,18 +481,54 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
 
-clean-checkPROGRAMS:
-	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
 
-hydra_tests$(EXEEXT): $(hydra_tests_OBJECTS) $(hydra_tests_DEPENDENCIES) $(EXTRA_hydra_tests_DEPENDENCIES) 
-	@rm -f hydra_tests$(EXEEXT)
-	$(AM_V_CCLD)$(hydra_tests_LINK) $(hydra_tests_OBJECTS) $(hydra_tests_LDADD) $(LIBS)
+libstrongswan-p-cscf.la: $(libstrongswan_p_cscf_la_OBJECTS) $(libstrongswan_p_cscf_la_DEPENDENCIES) $(EXTRA_libstrongswan_p_cscf_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_p_cscf_la_LINK) $(am_libstrongswan_p_cscf_la_rpath) $(libstrongswan_p_cscf_la_OBJECTS) $(libstrongswan_p_cscf_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -489,7 +536,8 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra_tests-hydra_tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/p_cscf_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/p_cscf_plugin.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -515,20 +563,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
-hydra_tests-hydra_tests.o: hydra_tests.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.o -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c
-
-hydra_tests-hydra_tests.obj: hydra_tests.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.obj -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi`
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -587,99 +621,6 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-check-TESTS: $(TESTS)
-	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
-	srcdir=$(srcdir); export srcdir; \
-	list=' $(TESTS) '; \
-	$(am__tty_colors); \
-	if test -n "$$list"; then \
-	  for tst in $$list; do \
-	    if test -f ./$$tst; then dir=./; \
-	    elif test -f $$tst; then dir=; \
-	    else dir="$(srcdir)/"; fi; \
-	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
-	      all=`expr $$all + 1`; \
-	      case " $(XFAIL_TESTS) " in \
-	      *[\ \	]$$tst[\ \	]*) \
-		xpass=`expr $$xpass + 1`; \
-		failed=`expr $$failed + 1`; \
-		col=$$red; res=XPASS; \
-	      ;; \
-	      *) \
-		col=$$grn; res=PASS; \
-	      ;; \
-	      esac; \
-	    elif test $$? -ne 77; then \
-	      all=`expr $$all + 1`; \
-	      case " $(XFAIL_TESTS) " in \
-	      *[\ \	]$$tst[\ \	]*) \
-		xfail=`expr $$xfail + 1`; \
-		col=$$lgn; res=XFAIL; \
-	      ;; \
-	      *) \
-		failed=`expr $$failed + 1`; \
-		col=$$red; res=FAIL; \
-	      ;; \
-	      esac; \
-	    else \
-	      skip=`expr $$skip + 1`; \
-	      col=$$blu; res=SKIP; \
-	    fi; \
-	    echo "$${col}$$res$${std}: $$tst"; \
-	  done; \
-	  if test "$$all" -eq 1; then \
-	    tests="test"; \
-	    All=""; \
-	  else \
-	    tests="tests"; \
-	    All="All "; \
-	  fi; \
-	  if test "$$failed" -eq 0; then \
-	    if test "$$xfail" -eq 0; then \
-	      banner="$$All$$all $$tests passed"; \
-	    else \
-	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
-	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
-	    fi; \
-	  else \
-	    if test "$$xpass" -eq 0; then \
-	      banner="$$failed of $$all $$tests failed"; \
-	    else \
-	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
-	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
-	    fi; \
-	  fi; \
-	  dashes="$$banner"; \
-	  skipped=""; \
-	  if test "$$skip" -ne 0; then \
-	    if test "$$skip" -eq 1; then \
-	      skipped="($$skip test was not run)"; \
-	    else \
-	      skipped="($$skip tests were not run)"; \
-	    fi; \
-	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
-	      dashes="$$skipped"; \
-	  fi; \
-	  report=""; \
-	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
-	    report="Please report to $(PACKAGE_BUGREPORT)"; \
-	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
-	      dashes="$$report"; \
-	  fi; \
-	  dashes=`echo "$$dashes" | sed s/./=/g`; \
-	  if test "$$failed" -eq 0; then \
-	    col="$$grn"; \
-	  else \
-	    col="$$red"; \
-	  fi; \
-	  echo "$${col}$$dashes$${std}"; \
-	  echo "$${col}$$banner$${std}"; \
-	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
-	  test -z "$$report" || echo "$${col}$$report$${std}"; \
-	  echo "$${col}$$dashes$${std}"; \
-	  test "$$failed" -eq 0; \
-	else :; fi
-
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -711,11 +652,12 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
-	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
 check: check-am
-all-am: Makefile
+all-am: Makefile $(LTLIBRARIES)
 installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
 install: install-am
 install-exec: install-exec-am
 install-data: install-data-am
@@ -748,8 +690,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -769,7 +711,7 @@ info: info-am
 
 info-am:
 
-install-data-am:
+install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
@@ -815,23 +757,24 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am:
-
-.MAKE: check-am install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
-	clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
-	ctags ctags-am distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-am uninstall uninstall-am
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libcharon/plugins/p_cscf/p_cscf_handler.c b/src/libcharon/plugins/p_cscf/p_cscf_handler.c
new file mode 100644
index 000000000..76633845e
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/p_cscf_handler.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "p_cscf_handler.h"
+
+#include <networking/host.h>
+#include <utils/debug.h>
+
+typedef struct private_p_cscf_handler_t private_p_cscf_handler_t;
+
+/**
+ * Private data
+ */
+struct private_p_cscf_handler_t {
+
+	/**
+	 * Public interface
+	 */
+	p_cscf_handler_t public;
+};
+
+METHOD(attribute_handler_t, handle, bool,
+	private_p_cscf_handler_t *this, ike_sa_t *ike_sa,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	host_t *server;
+	int family = AF_INET6;
+
+	switch (type)
+	{
+		case P_CSCF_IP4_ADDRESS:
+			family = AF_INET;
+			/* fall-through */
+		case P_CSCF_IP6_ADDRESS:
+			server = host_create_from_chunk(family, data, 0);
+			if (!server)
+			{
+				DBG1(DBG_CFG, "received invalid P-CSCF server IP");
+				return FALSE;
+			}
+			DBG1(DBG_CFG, "received P-CSCF server IP %H", server);
+			server->destroy(server);
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_p_cscf_handler_t *this, ike_sa_t *ike_sa,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case P_CSCF_IP4_ADDRESS:
+		case P_CSCF_IP6_ADDRESS:
+			/* nothing to do as we only log the server IPs */
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Data for attribute enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	bool request_ipv4;
+	bool request_ipv6;
+} attr_enumerator_t;
+
+METHOD(enumerator_t, enumerate_attrs, bool,
+	attr_enumerator_t *this, configuration_attribute_type_t *type,
+	chunk_t *data)
+{
+	if (this->request_ipv4)
+	{
+		*type = P_CSCF_IP4_ADDRESS;
+		*data = chunk_empty;
+		this->request_ipv4 = FALSE;
+		return TRUE;
+	}
+	if (this->request_ipv6)
+	{
+		*type = P_CSCF_IP6_ADDRESS;
+		*data = chunk_empty;
+		this->request_ipv6 = FALSE;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Check if the given host has a matching address family
+ */
+static bool is_family(host_t *host, int *family)
+{
+	return host->get_family(host) == *family;
+}
+
+/**
+ * Check if a list has a host of a given family
+ */
+static bool has_host_family(linked_list_t *list, int family)
+{
+	return list->find_first(list, (void*)is_family, NULL, &family) == SUCCESS;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+	private_p_cscf_handler_t *this, ike_sa_t *ike_sa,
+	linked_list_t *vips)
+{
+	attr_enumerator_t *enumerator;
+
+	if (ike_sa->get_version(ike_sa) == IKEV1)
+	{
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_attrs,
+			.destroy = (void*)free,
+		},
+	);
+	if (lib->settings->get_bool(lib->settings, "%s.plugins.p-cscf.enable.%s",
+								FALSE, lib->ns, ike_sa->get_name(ike_sa)))
+	{
+		enumerator->request_ipv4 = has_host_family(vips, AF_INET);
+		enumerator->request_ipv6 = has_host_family(vips, AF_INET6);
+	}
+	return &enumerator->public;
+}
+
+METHOD(p_cscf_handler_t, destroy, void,
+	private_p_cscf_handler_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+p_cscf_handler_t *p_cscf_handler_create()
+{
+	private_p_cscf_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/p_cscf/p_cscf_handler.h b/src/libcharon/plugins/p_cscf/p_cscf_handler.h
new file mode 100644
index 000000000..ad4f1acce
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/p_cscf_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup p_cscf_handler p_cscf_handler
+ * @{ @ingroup p_cscf
+ */
+
+#ifndef P_CSCF_HANDLER_H_
+#define P_CSCF_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct p_cscf_handler_t p_cscf_handler_t;
+
+/**
+ * Attribute handler for P-CSCF server addresses.
+ */
+struct p_cscf_handler_t {
+
+	/**
+	 * Implements attribute_handler_t.
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a p_cscf_handler_t.
+	 */
+	void (*destroy)(p_cscf_handler_t *this);
+};
+
+/**
+ * Create an p_cscf_handler_t instance.
+ */
+p_cscf_handler_t *p_cscf_handler_create();
+
+#endif /** P_CSCF_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/p_cscf/p_cscf_plugin.c b/src/libcharon/plugins/p_cscf/p_cscf_plugin.c
new file mode 100644
index 000000000..8e2bc727e
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/p_cscf_plugin.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "p_cscf_plugin.h"
+#include "p_cscf_handler.h"
+
+#include <daemon.h>
+
+typedef struct private_p_cscf_plugin_t private_p_cscf_plugin_t;
+
+/**
+ * Private data
+ */
+struct private_p_cscf_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	p_cscf_plugin_t public;
+
+	/**
+	 * P-CSCF server address attribute handler
+	 */
+	p_cscf_handler_t *handler;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_p_cscf_plugin_t *this)
+{
+	return "p-cscf";
+}
+
+/**
+ * Register handler
+ */
+static bool plugin_cb(private_p_cscf_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->attributes->add_handler(charon->attributes,
+										&this->handler->handler);
+	}
+	else
+	{
+		charon->attributes->remove_handler(charon->attributes,
+										   &this->handler->handler);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_p_cscf_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "p-cscf"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_p_cscf_plugin_t *this)
+{
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *p_cscf_plugin_create()
+{
+	private_p_cscf_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.handler = p_cscf_handler_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/p_cscf/p_cscf_plugin.h b/src/libcharon/plugins/p_cscf/p_cscf_plugin.h
new file mode 100644
index 000000000..51b17674d
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/p_cscf_plugin.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup p_cscf p_cscf
+ * @ingroup cplugins
+ *
+ * @defgroup p_cscf_plugin p_cscf_plugin
+ * @{ @ingroup p_cscf
+ */
+
+#ifndef P_CSCF_PLUGIN_H_
+#define P_CSCF_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct p_cscf_plugin_t p_cscf_plugin_t;
+
+/**
+ * Plugin that requests P-CSCF server addresses from an ePDG as specified
+ * in RFC 7651.
+ */
+struct p_cscf_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** P_CSCF_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/radattr/Makefile.am b/src/libcharon/plugins/radattr/Makefile.am
index 15d5a0a1f..74d9351f2 100644
--- a/src/libcharon/plugins/radattr/Makefile.am
+++ b/src/libcharon/plugins/radattr/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index baff3fc76..3f39ba237 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
diff --git a/src/libcharon/plugins/resolve/Makefile.am b/src/libcharon/plugins/resolve/Makefile.am
index 9cfc370c0..d3d4e73cf 100644
--- a/src/libcharon/plugins/resolve/Makefile.am
+++ b/src/libcharon/plugins/resolve/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
index 91479bf52..70d97cc32 100644
--- a/src/libcharon/plugins/resolve/Makefile.in
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c
index 74c3960ff..ec3decc4d 100644
--- a/src/libcharon/plugins/resolve/resolve_handler.c
+++ b/src/libcharon/plugins/resolve/resolve_handler.c
@@ -20,7 +20,6 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
-#include <hydra.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 
diff --git a/src/libcharon/plugins/smp/Makefile.am b/src/libcharon/plugins/smp/Makefile.am
index 3aa533e56..252db32a6 100644
--- a/src/libcharon/plugins/smp/Makefile.am
+++ b/src/libcharon/plugins/smp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 572e7fc2f..221cda71a 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 2aa061fd2..56b19c792 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -229,8 +229,8 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 		local = ike_sa->get_my_host(ike_sa);
 		xmlTextWriterStartElement(writer, "local");
 		xmlTextWriterWriteFormatElement(writer, "spi", "%.16llx",
-							id->is_initiator(id) ? id->get_initiator_spi(id)
-												 : id->get_responder_spi(id));
+					be64toh(id->is_initiator(id) ? id->get_initiator_spi(id)
+												 : id->get_responder_spi(id)));
 		write_id(writer, "identification", ike_sa->get_my_id(ike_sa));
 		write_address(writer, "address", local);
 		xmlTextWriterWriteFormatElement(writer, "port", "%d",
@@ -246,8 +246,8 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 		remote = ike_sa->get_other_host(ike_sa);
 		xmlTextWriterStartElement(writer, "remote");
 		xmlTextWriterWriteFormatElement(writer, "spi", "%.16llx",
-							id->is_initiator(id) ? id->get_responder_spi(id)
-												 : id->get_initiator_spi(id));
+					be64toh(id->is_initiator(id) ? id->get_responder_spi(id)
+												 : id->get_initiator_spi(id)));
 		write_id(writer, "identification", ike_sa->get_other_id(ike_sa));
 		write_address(writer, "address", remote);
 		xmlTextWriterWriteFormatElement(writer, "port", "%d",
diff --git a/src/libcharon/plugins/socket_default/Makefile.am b/src/libcharon/plugins/socket_default/Makefile.am
index e524ffd18..7231703b3 100644
--- a/src/libcharon/plugins/socket_default/Makefile.am
+++ b/src/libcharon/plugins/socket_default/Makefile.am
@@ -1,7 +1,6 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 25b40995b..3dcfaf4a6 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 13bf3e775..6e432d9cf 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -41,7 +41,6 @@
 #include <netinet/udp.h>
 #include <net/if.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 
@@ -720,16 +719,15 @@ static int open_socket(private_socket_default_socket_t *this,
 	}
 #endif
 
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												skt, family))
+	if (!charon->kernel->bypass_socket(charon->kernel, skt, family))
 	{
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
 
 	/* enable UDP decapsulation for NAT-T sockets */
 	if (port == &this->natt &&
-		!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
-												   skt, family, this->natt))
+		!charon->kernel->enable_udp_decap(charon->kernel, skt, family,
+										  this->natt))
 	{
 		DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed",
 			 family == AF_INET ? "IPv4" : "IPv6", this->natt);
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.am b/src/libcharon/plugins/socket_dynamic/Makefile.am
index a1e21b98b..087ebb728 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.am
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.am
@@ -1,7 +1,6 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 5c010a59a..88bc22f5e 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index a032134c3..b89cae47b 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -36,7 +36,6 @@
 #include <netinet/udp.h>
 #include <net/if.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
@@ -438,15 +437,13 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 		return 0;
 	}
 
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												fd, family))
+	if (!charon->kernel->bypass_socket(charon->kernel, fd, family))
 	{
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
 
 	/* enable UDP decapsulation on each socket */
-	if (!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
-												   fd, family, *port))
+	if (!charon->kernel->enable_udp_decap(charon->kernel, fd, family, *port))
 	{
 		DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed",
 			 family == AF_INET ? "IPv4" : "IPv6", *port);
diff --git a/src/libcharon/plugins/socket_win/Makefile.am b/src/libcharon/plugins/socket_win/Makefile.am
index f01178fcc..293d9bc9f 100644
--- a/src/libcharon/plugins/socket_win/Makefile.am
+++ b/src/libcharon/plugins/socket_win/Makefile.am
@@ -1,7 +1,6 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index 0c3bf31b9..683011062 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_win/socket_win_socket.c b/src/libcharon/plugins/socket_win/socket_win_socket.c
index fbfbedae1..94af08e80 100644
--- a/src/libcharon/plugins/socket_win/socket_win_socket.c
+++ b/src/libcharon/plugins/socket_win/socket_win_socket.c
@@ -19,7 +19,6 @@
 #include "socket_win_socket.h"
 
 #include <library.h>
-#include <hydra.h>
 #include <threading/thread.h>
 #include <daemon.h>
 
@@ -397,13 +396,11 @@ static SOCKET open_socket(private_socket_win_socket_t *this, int i)
 		closesocket(s);
 		return INVALID_SOCKET;
 	}
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												s, AF_INET))
+	if (!charon->kernel->bypass_socket(charon->kernel, s, AF_INET))
 	{
 		DBG1(DBG_NET, "installing IPv4 IKE bypass policy failed");
 	}
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												s, AF_INET6))
+	if (!charon->kernel->bypass_socket(charon->kernel, s, AF_INET6))
 	{
 		DBG1(DBG_NET, "installing IPv6 IKE bypass policy failed");
 	}
diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am
index c947db892..44a3d5f4a 100644
--- a/src/libcharon/plugins/sql/Makefile.am
+++ b/src/libcharon/plugins/sql/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index f74257af2..b09379b02 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
index b90688791..26edc3dcd 100644
--- a/src/libcharon/plugins/stroke/Makefile.am
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/stroke \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index a316f5c25..2b22b333a 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/stroke \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 68cf83089..d0eb2aac3 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -16,7 +16,6 @@
 
 #include "stroke_config.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <utils/lexparser.h>
@@ -201,8 +200,7 @@ static bool is_local(char *address, bool any_allowed)
 			host = host_create_from_dns(token, 0, 0);
 			if (host)
 			{
-				if (hydra->kernel_interface->get_interface(
-										hydra->kernel_interface, host, NULL))
+				if (charon->kernel->get_interface(charon->kernel, host, NULL))
 				{
 					found = TRUE;
 				}
@@ -313,117 +311,6 @@ static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
 }
 
 /**
- * Parse public key / signature strength constraints
- */
-static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
-{
-	enumerator_t *enumerator;
-	bool rsa = FALSE, ecdsa = FALSE, bliss = FALSE,
-		 rsa_len = FALSE, ecdsa_len = FALSE, bliss_strength = FALSE;
-	int strength;
-	char *token;
-
-	enumerator = enumerator_create_token(auth, "-", "");
-	while (enumerator->enumerate(enumerator, &token))
-	{
-		bool found = FALSE;
-		int i;
-		struct {
-			char *name;
-			signature_scheme_t scheme;
-			key_type_t key;
-		} schemes[] = {
-			{ "md5",		SIGN_RSA_EMSA_PKCS1_MD5,		KEY_RSA,	},
-			{ "sha1",		SIGN_RSA_EMSA_PKCS1_SHA1,		KEY_RSA,	},
-			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA224,		KEY_RSA,	},
-			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA256,		KEY_RSA,	},
-			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA384,		KEY_RSA,	},
-			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA512,		KEY_RSA,	},
-			{ "sha1",		SIGN_ECDSA_WITH_SHA1_DER,		KEY_ECDSA,	},
-			{ "sha256",		SIGN_ECDSA_WITH_SHA256_DER,		KEY_ECDSA,	},
-			{ "sha384",		SIGN_ECDSA_WITH_SHA384_DER,		KEY_ECDSA,	},
-			{ "sha512",		SIGN_ECDSA_WITH_SHA512_DER,		KEY_ECDSA,	},
-			{ "sha256",		SIGN_ECDSA_256,					KEY_ECDSA,	},
-			{ "sha384",		SIGN_ECDSA_384,					KEY_ECDSA,	},
-			{ "sha512",		SIGN_ECDSA_521,					KEY_ECDSA,	},
-			{ "sha256",		SIGN_BLISS_WITH_SHA2_256,		KEY_BLISS,	},
-			{ "sha384",		SIGN_BLISS_WITH_SHA2_384,		KEY_BLISS,	},
-			{ "sha512",		SIGN_BLISS_WITH_SHA2_512,		KEY_BLISS,	},
-		};
-
-		if (rsa_len || ecdsa_len || bliss_strength)
-		{	/* expecting a key strength token */
-			strength = atoi(token);
-			if (strength)
-			{
-				if (rsa_len)
-				{
-					cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
-				}
-				else if (ecdsa_len)
-				{
-					cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
-				}
-				else if (bliss_strength)
-				{
-					cfg->add(cfg, AUTH_RULE_BLISS_STRENGTH, (uintptr_t)strength);
-				}
-			}
-			rsa_len = ecdsa_len = bliss_strength = FALSE;
-			if (strength)
-			{
-				continue;
-			}
-		}
-		if (streq(token, "rsa"))
-		{
-			rsa = rsa_len = TRUE;
-			continue;
-		}
-		if (streq(token, "ecdsa"))
-		{
-			ecdsa = ecdsa_len = TRUE;
-			continue;
-		}
-		if (streq(token, "bliss"))
-		{
-			bliss = bliss_strength = TRUE;
-			continue;
-		}
-		if (streq(token, "pubkey"))
-		{
-			continue;
-		}
-
-		for (i = 0; i < countof(schemes); i++)
-		{
-			if (streq(schemes[i].name, token))
-			{
-				/* for each matching string, allow the scheme, if:
-				 * - it is an RSA scheme, and we enforced RSA
-				 * - it is an ECDSA scheme, and we enforced ECDSA
-				 * - it is not a key type specific scheme
-				 */
-				if ((rsa && schemes[i].key == KEY_RSA) ||
-					(ecdsa && schemes[i].key == KEY_ECDSA) ||
-					(bliss && schemes[i].key == KEY_BLISS) ||
-					(!rsa && !ecdsa && !bliss))
-				{
-					cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME,
-							 (uintptr_t)schemes[i].scheme);
-				}
-				found = TRUE;
-			}
-		}
-		if (!found)
-		{
-			DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
  * build authentication config
  */
 static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
@@ -619,15 +506,15 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	}
 
 	/* authentication metod (class, actually) */
-	if (strpfx(auth, "pubkey") ||
+	if (strpfx(auth, "ike:") ||
+		strpfx(auth, "pubkey") ||
 		strpfx(auth, "rsa") ||
 		strpfx(auth, "ecdsa") ||
 		strpfx(auth, "bliss"))
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
-
-		parse_pubkey_constraints(auth, cfg);
+		cfg->add_pubkey_constraints(cfg, auth, TRUE);
 	}
 	else if (streq(auth, "psk") || streq(auth, "secret"))
 	{
@@ -660,7 +547,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		if (pos)
 		{
 			*pos = 0;
-			parse_pubkey_constraints(pos + 1, cfg);
+			cfg->add_pubkey_constraints(cfg, pos + 1, FALSE);
 		}
 		type = eap_vendor_type_from_string(auth);
 		if (type)
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 5a1a5074d..36da5ff21 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -16,7 +16,6 @@
 
 #include "stroke_control.h"
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include <processing/jobs/delete_ike_sa_job.h>
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index c0192b5c0..0371c7032 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -23,22 +26,12 @@
 #include <malloc.h>
 #endif /* HAVE_MALLINFO */
 
-#include <hydra.h>
 #include <daemon.h>
 #include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/pgp_certificate.h>
+#include <credentials/certificates/certificate_printer.h>
 #include <config/peer_cfg.h>
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
-
-/* warning intervals for list functions */
-#define CERT_WARNING_INTERVAL  30	/* days */
-#define CRL_WARNING_INTERVAL	7	/* days */
-#define AC_WARNING_INTERVAL		1	/* day */
 
 typedef struct private_stroke_list_t private_stroke_list_t;
 
@@ -69,6 +62,11 @@ struct private_stroke_list_t {
 };
 
 /**
+ * Static certificate printer object
+ */
+static certificate_printer_t *cert_printer = NULL;
+
+/**
  * Log tasks of a specific queue to out
  */
 static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name)
@@ -139,8 +137,10 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 		fprintf(out, "%12s[%d]: %N SPIs: %.16"PRIx64"_i%s %.16"PRIx64"_r%s",
 				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
 				ike_version_names, ike_sa->get_version(ike_sa),
-				id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
-				id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
+				be64toh(id->get_initiator_spi(id)),
+				id->is_initiator(id) ? "*" : "",
+				be64toh(id->get_responder_spi(id)),
+				id->is_initiator(id) ? "" : "*");
 
 
 		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
@@ -244,40 +244,36 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			proposal = child_sa->get_proposal(child_sa);
 			if (proposal)
 			{
-				u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
-				u_int16_t encr_size = 0, int_size = 0;
-				u_int16_t esn = NO_EXT_SEQ_NUMBERS;
+				u_int16_t alg, ks;
 				bool first = TRUE;
 
-				proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
-										&encr_alg, &encr_size);
-				proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-										&int_alg, &int_size);
-				proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
-										&esn, NULL);
-
-				if (encr_alg != ENCR_UNDEFINED)
+				if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+											&alg, &ks) && alg != ENCR_UNDEFINED)
 				{
-					fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+					fprintf(out, "%N", encryption_algorithm_names, alg);
 					first = FALSE;
-					if (encr_size)
+					if (ks)
 					{
-						fprintf(out, "_%u", encr_size);
+						fprintf(out, "_%u", ks);
 					}
 				}
-				if (int_alg != AUTH_UNDEFINED)
+				if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+											&alg, &ks) && alg != AUTH_UNDEFINED)
 				{
-					if (!first)
-					{
-						fprintf(out, "/");
-					}
-					fprintf(out, "%N", integrity_algorithm_names, int_alg);
-					if (int_size)
+					fprintf(out, "%s%N", first ? "" : "/",
+							integrity_algorithm_names, alg);
+					if (ks)
 					{
-						fprintf(out, "_%u", int_size);
+						fprintf(out, "_%u", ks);
 					}
 				}
-				if (esn == EXT_SEQ_NUMBERS)
+				if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+											&alg, NULL))
+				{
+					fprintf(out, "/%N", diffie_hellman_group_names, alg);
+				}
+				if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
+											&alg, NULL) && alg == EXT_SEQ_NUMBERS)
 				{
 					fprintf(out, "/ESN");
 				}
@@ -538,8 +534,8 @@ METHOD(stroke_list_t, status, void,
 		}
 		enumerator->destroy(enumerator);
 
-		enumerator = hydra->kernel_interface->create_address_enumerator(
-								hydra->kernel_interface, ADDR_TYPE_REGULAR);
+		enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+															ADDR_TYPE_REGULAR);
 		fprintf(out, "Listening IP addresses:\n");
 		while (enumerator->enumerate(enumerator, (void**)&host))
 		{
@@ -738,14 +734,20 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
 }
 
 /**
- * Print a single public key.
+ * Is there a matching private key?
  */
-static void list_public_key(public_key_t *public, FILE *out)
+static bool has_privkey(certificate_t *cert)
 {
+	public_key_t *public;
 	private_key_t *private = NULL;
 	chunk_t keyid;
 	identification_t *id;
 
+	public = cert->get_public_key(cert);
+	if (!public)
+	{
+		return FALSE;
+	}
 	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
 	{
 		id = identification_create_from_encoding(ID_KEY_ID, keyid);
@@ -753,521 +755,56 @@ static void list_public_key(public_key_t *public, FILE *out)
 									public->get_type(public), id, NULL);
 		id->destroy(id);
 	}
-
-	fprintf(out, "  pubkey:    %N %d bits%s\n",
-			key_type_names, public->get_type(public),
-			public->get_keysize(public),
-			private ? ", has private key" : "");
-	if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
-	{
-		fprintf(out, "  keyid:     %#B\n", &keyid);
-	}
-	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
-	{
-		fprintf(out, "  subjkey:   %#B\n", &keyid);
-	}
+	public->destroy(public);
 	DESTROY_IF(private);
-}
-
-/**
- * list all raw public keys
- */
-static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t now = time(NULL), notBefore, notAfter;
-	enumerator_t *enumerator;
-	certificate_t *cert;
-
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		identification_t *subject = cert->get_subject(cert);
-		public_key_t *public = cert->get_public_key(cert);
-
-		if (public)
-		{
-			if (first)
-			{
-				fprintf(out, "\n");
-				fprintf(out, "List of Raw Public Keys:\n");
-				first = FALSE;
-			}
-			fprintf(out, "\n");
-
-			/* list subject if available */
-			if (subject->get_type(subject) != ID_KEY_ID)
-			{
-				fprintf(out, "  subject:   %#Y\n", subject);
-			}
-
-			/* list validity if available*/
-			cert->get_validity(cert, &now, &notBefore, &notAfter);
-			if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
-			{
-				fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-				if (now < notBefore)
-				{
-					fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-				}
-				else
-				{
-					fprintf(out, "ok\n");
-				}
-				fprintf(out, "             not after  %T, ", &notAfter, utc);
-				if (now > notAfter)
-				{
-					fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-				}
-				else
-				{
-					fprintf(out, "ok");
-					if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
-					{
-						fprintf(out, " (expires in %V)", &now, &notAfter);
-					}
-					fprintf(out, " \n");
-				}
-			}
-
-			list_public_key(public, out);
-			public->destroy(public);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list OpenPGP certificates
- */
-static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		time_t created, until;
-		public_key_t *public;
-		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
-		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
-
-		if (first)
-		{
 
-			fprintf(out, "\n");
-				fprintf(out, "List of PGP End Entity Certificates:\n");
-				first = FALSE;
-		}
-		fprintf(out, "\n");
-		fprintf(out, "  userid:   '%Y'\n", cert->get_subject(cert));
-
-		fprintf(out, "  digest:    %#B\n", &fingerprint);
-
-		/* list validity */
-		cert->get_validity(cert, &now, &created, &until);
-		fprintf(out, "  created:   %T\n", &created, utc);
-		fprintf(out, "  until:     %T%s\n", &until, utc,
-			(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
-
-		public = cert->get_public_key(cert);
-		if (public)
-		{
-			list_public_key(public, out);
-			public->destroy(public);
-		}
-	}
-	enumerator->destroy(enumerator);
+	return (private != NULL);
 }
 
 /**
  * list all X.509 certificates matching the flags
  */
-static void stroke_list_certs(linked_list_t *list, char *label,
-							  x509_flag_t flags, bool utc, FILE *out)
+static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag)
 {
-	bool first = TRUE;
-	time_t now = time(NULL);
 	enumerator_t *enumerator;
 	certificate_t *cert;
-	x509_flag_t flag_mask;
-
-	/* mask all auxiliary flags */
-	flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
-				  X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
 
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		x509_t *x509 = (x509_t*)cert;
-		x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
+		x509_flag_t flags = x509->get_flags(x509) & X509_ANY;
 
 		/* list only if flag is set or flag == 0 */
-		if ((x509_flags & flags) || (x509_flags == flags))
+		if ((flags & flag) || flags == flag)
 		{
-			enumerator_t *enumerator;
-			identification_t *altName;
-			bool first_altName = TRUE;
-			u_int pathlen;
-			chunk_t serial, authkey;
-			time_t notBefore, notAfter;
-			public_key_t *public;
-
-			if (first)
-			{
-				fprintf(out, "\n");
-				fprintf(out, "List of %s:\n", label);
-				first = FALSE;
-			}
-			fprintf(out, "\n");
-
-			/* list subjectAltNames */
-			enumerator = x509->create_subjectAltName_enumerator(x509);
-			while (enumerator->enumerate(enumerator, (void**)&altName))
-			{
-				if (first_altName)
-				{
-					fprintf(out, "  altNames:  ");
-					first_altName = FALSE;
-				}
-				else
-				{
-					fprintf(out, ", ");
-				}
-				fprintf(out, "%Y", altName);
-			}
-			if (!first_altName)
-			{
-				fprintf(out, "\n");
-			}
-			enumerator->destroy(enumerator);
-
-			fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
-			fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-			serial = chunk_skip_zero(x509->get_serial(x509));
-			fprintf(out, "  serial:    %#B\n", &serial);
-
-			/* list validity */
-			cert->get_validity(cert, &now, &notBefore, &notAfter);
-			fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-			if (now < notBefore)
-			{
-				fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-			}
-			else
-			{
-				fprintf(out, "ok\n");
-			}
-			fprintf(out, "             not after  %T, ", &notAfter, utc);
-			if (now > notAfter)
-			{
-				fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-			}
-			else
-			{
-				fprintf(out, "ok");
-				if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
-				{
-					fprintf(out, " (expires in %V)", &now, &notAfter);
-				}
-				fprintf(out, " \n");
-			}
-
-			public = cert->get_public_key(cert);
-			if (public)
-			{
-				list_public_key(public, out);
-				public->destroy(public);
-			}
-
-			/* list optional authorityKeyIdentifier */
-			authkey = x509->get_authKeyIdentifier(x509);
-			if (authkey.ptr)
-			{
-				fprintf(out, "  authkey:   %#B\n", &authkey);
-			}
-
-			/* list optional pathLenConstraint */
-			pathlen = x509->get_constraint(x509, X509_PATH_LEN);
-			if (pathlen != X509_NO_CONSTRAINT)
-			{
-				fprintf(out, "  pathlen:   %u\n", pathlen);
-			}
-
-			/* list optional ipAddrBlocks */
-			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-			{
-				traffic_selector_t *ipAddrBlock;
-				bool first_ipAddrBlock = TRUE;
-
-				fprintf(out, "  addresses: ");
-				enumerator = x509->create_ipAddrBlock_enumerator(x509);
-				while (enumerator->enumerate(enumerator, &ipAddrBlock))
-				{
-					if (first_ipAddrBlock)
-					{
-						first_ipAddrBlock = FALSE;
-					}
-					else
-					{
-						fprintf(out, ", ");
-					}
-					fprintf(out, "%R", ipAddrBlock);
-				}
-				enumerator->destroy(enumerator);
-				fprintf(out, "\n");
-			}
+			cert_printer->print_caption(cert_printer, CERT_X509, flag);
+			cert_printer->print(cert_printer, cert, has_privkey(cert));
 		}
 	}
 	enumerator->destroy(enumerator);
 }
 
 /**
- * list all X.509 attribute certificates
+ * list all other certificates types
  */
-static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
+static void stroke_list_other_certs(certificate_type_t type)
 {
-	bool first = TRUE;
-	time_t notBefore, notAfter, now = time(NULL);
 	enumerator_t *enumerator;
 	certificate_t *cert;
+	linked_list_t *list;
+
+	list = create_unique_cert_list(type);
 
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &cert))
 	{
-		ac_t *ac = (ac_t*)cert;
-		ac_group_type_t type;
-		identification_t *id;
-		enumerator_t *groups;
-		chunk_t chunk;
-		bool firstgroup = TRUE;
-
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 Attribute Certificates:\n");
-			first = FALSE;
-		}
-		fprintf(out, "\n");
-
-		id = cert->get_subject(cert);
-		if (id)
-		{
-			fprintf(out, "  holder:   \"%Y\"\n", id);
-		}
-		id = ac->get_holderIssuer(ac);
-		if (id)
-		{
-			fprintf(out, "  hissuer:  \"%Y\"\n", id);
-		}
-		chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-		if (chunk.ptr)
-		{
-			fprintf(out, "  hserial:   %#B\n", &chunk);
-		}
-		groups = ac->create_group_enumerator(ac);
-		while (groups->enumerate(groups, &type, &chunk))
-		{
-			int oid;
-			char *str;
-
-			if (firstgroup)
-			{
-				fprintf(out, "  groups:    ");
-				firstgroup = FALSE;
-			}
-			else
-			{
-				fprintf(out, "             ");
-			}
-			switch (type)
-			{
-				case AC_GROUP_TYPE_STRING:
-					fprintf(out, "%.*s", (int)chunk.len, chunk.ptr);
-					break;
-				case AC_GROUP_TYPE_OID:
-					oid = asn1_known_oid(chunk);
-					if (oid == OID_UNKNOWN)
-					{
-						str = asn1_oid_to_string(chunk);
-						if (str)
-						{
-							fprintf(out, "%s", str);
-							free(str);
-						}
-						else
-						{
-							fprintf(out, "OID:%#B", &chunk);
-						}
-					}
-					else
-					{
-						fprintf(out, "%s", oid_names[oid].name);
-					}
-					break;
-				case AC_GROUP_TYPE_OCTETS:
-					fprintf(out, "%#B", &chunk);
-					break;
-			}
-			fprintf(out, "\n");
-		}
-		groups->destroy(groups);
-		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-		chunk  = chunk_skip_zero(ac->get_serial(ac));
-		fprintf(out, "  serial:    %#B\n", &chunk);
-
-		/* list validity */
-		cert->get_validity(cert, &now, &notBefore, &notAfter);
-		fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-		if (now < notBefore)
-		{
-			fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-		}
-		else
-		{
-			fprintf(out, "ok\n");
-		}
-		fprintf(out, "             not after  %T, ", &notAfter, utc);
-		if (now > notAfter)
-		{
-			fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-		}
-		else
-		{
-			fprintf(out, "ok");
-			if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24)
-			{
-				fprintf(out, " (expires in %V)", &now, &notAfter);
-			}
-			fprintf(out, " \n");
-		}
-
-		/* list optional authorityKeyIdentifier */
-		chunk = ac->get_authKeyIdentifier(ac);
-		if (chunk.ptr)
-		{
-			fprintf(out, "  authkey:   %#B\n", &chunk);
-		}
+		cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE);
+		cert_printer->print(cert_printer, cert, has_privkey(cert));
 	}
 	enumerator->destroy(enumerator);
-}
-
-/**
- * list all X.509 CRLs
- */
-static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t thisUpdate, nextUpdate, now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
 
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		crl_t *crl = (crl_t*)cert;
-		chunk_t chunk;
-
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 CRLs:\n");
-			first = FALSE;
-		}
-		fprintf(out, "\n");
-
-		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-		/* list optional crlNumber */
-		chunk = chunk_skip_zero(crl->get_serial(crl));
-		if (chunk.ptr)
-		{
-			fprintf(out, "  serial:    %#B\n", &chunk);
-		}
-		if (crl->is_delta_crl(crl, &chunk))
-		{
-			chunk = chunk_skip_zero(chunk);
-			fprintf(out, "  delta for: %#B\n", &chunk);
-		}
-
-		/* count the number of revoked certificates */
-		{
-			int count = 0;
-			enumerator_t *enumerator = crl->create_enumerator(crl);
-
-			while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
-			{
-				count++;
-			}
-			fprintf(out, "  revoked:   %d certificate%s\n", count,
-							(count == 1)? "" : "s");
-			enumerator->destroy(enumerator);
-		}
-
-		/* list validity */
-		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %T, ", &nextUpdate, utc);
-		if (now > nextUpdate)
-		{
-			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
-		}
-		else
-		{
-			fprintf(out, "ok");
-			if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
-			{
-				fprintf(out, " (expires in %V)", &now, &nextUpdate);
-			}
-			fprintf(out, " \n");
-		}
-
-		/* list optional authorityKeyIdentifier */
-		chunk = crl->get_authKeyIdentifier(crl);
-		if (chunk.ptr)
-		{
-			fprintf(out, "  authkey:   %#B\n", &chunk);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list all OCSP responses
- */
-static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
-{
-	bool first = TRUE, ok;
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-	time_t produced, usable, now = time(NULL);
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of OCSP responses:\n");
-			fprintf(out, "\n");
-			first = FALSE;
-		}
-		fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
-
-		/* check validity */
-		ok = cert->get_validity(cert, &now, &produced, &usable);
-		fprintf(out, "  validity:  produced at %T\n", &produced, utc);
-		fprintf(out, "             usable till %T, ", &usable, utc);
-		if (ok)
-		{
-			fprintf(out, "ok\n");
-		}
-		else
-		{
-			fprintf(out, "expired (%V ago)\n", &now, &usable);
-		}
-	}
-	enumerator->destroy(enumerator);
+	list->destroy_offset(list, offsetof(certificate_t, destroy));
 }
 
 /**
@@ -1439,19 +976,15 @@ METHOD(stroke_list_t, list, void,
 {
 	linked_list_t *cert_list = NULL;
 
+	cert_printer = certificate_printer_create(out, TRUE, msg->list.utc);
+
 	if (msg->list.flags & LIST_PUBKEYS)
 	{
-		linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
-
-		stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
-		pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_TRUSTED_PUBKEY);
 	}
 	if (msg->list.flags & LIST_CERTS)
 	{
-		linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
-
-		stroke_list_pgp(pgp_list, msg->list.utc, out);
-		pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_GPG);
 	}
 	if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
 	{
@@ -1459,47 +992,33 @@ METHOD(stroke_list_t, list, void,
 	}
 	if (msg->list.flags & LIST_CERTS)
 	{
-		stroke_list_certs(cert_list, "X.509 End Entity Certificates",
-						  X509_NONE, msg->list.utc, out);
+		stroke_list_x509_certs(cert_list, X509_NONE);
 	}
 	if (msg->list.flags & LIST_CACERTS)
 	{
-		stroke_list_certs(cert_list, "X.509 CA Certificates",
-						  X509_CA, msg->list.utc, out);
+		stroke_list_x509_certs(cert_list, X509_CA);
 	}
 	if (msg->list.flags & LIST_OCSPCERTS)
 	{
-		stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates",
-						  X509_OCSP_SIGNER, msg->list.utc, out);
+		stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER);
 	}
 	if (msg->list.flags & LIST_AACERTS)
 	{
-		stroke_list_certs(cert_list, "X.509 AA Certificates",
-						  X509_AA, msg->list.utc, out);
+		stroke_list_x509_certs(cert_list, X509_AA);
 	}
 	DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
 
 	if (msg->list.flags & LIST_ACERTS)
 	{
-		linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
-
-		stroke_list_acerts(ac_list, msg->list.utc, out);
-		ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_X509_AC);
 	}
 	if (msg->list.flags & LIST_CRLS)
 	{
-		linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
-
-		stroke_list_crls(crl_list, msg->list.utc, out);
-		crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_X509_CRL);
 	}
 	if (msg->list.flags & LIST_OCSP)
 	{
-		linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
-
-		stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-
-		ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_X509_OCSP_RESPONSE);
 	}
 	if (msg->list.flags & LIST_ALGS)
 	{
@@ -1509,6 +1028,8 @@ METHOD(stroke_list_t, list, void,
 	{
 		list_plugins(out);
 	}
+	cert_printer->destroy(cert_printer);
+	cert_printer = NULL;
 }
 
 /**
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 29563e32f..ee32dbca2 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -590,17 +590,10 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 		fprintf(out, "command not allowed!\n");
 		return;
 	}
-	if (strcaseeq(msg->loglevel.type, "any"))
+	if (!enum_from_name(debug_names, msg->loglevel.type, &group))
 	{
-		group = DBG_ANY;
-	}
-	else
-	{
-		if (!enum_from_name(debug_names, msg->loglevel.type, &group))
-		{
-			fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
-			return;
-		}
+		fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
+		return;
 	}
 	charon->set_level(charon, group, msg->loglevel.level);
 }
diff --git a/src/libcharon/plugins/systime_fix/Makefile.am b/src/libcharon/plugins/systime_fix/Makefile.am
index 40a346440..95a33230f 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.am
+++ b/src/libcharon/plugins/systime_fix/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 if MONOLITHIC
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index be148b6c3..0daff4434 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-systime-fix.la
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.am b/src/libcharon/plugins/tnc_ifmap/Makefile.am
index 90fbf4651..dab98129d 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.am
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.am
@@ -1,7 +1,6 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 17cc341c5..f124a1b38 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -435,7 +437,6 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index d2ba2e345..2bad4fab0 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -18,7 +18,6 @@
 #include "tnc_ifmap_renew_session_job.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <utils/debug.h>
 
 #define IFMAP_RENEW_SESSION_INTERVAL	150
@@ -51,8 +50,8 @@ static bool publish_device_ip_addresses(private_tnc_ifmap_listener_t *this)
 	host_t *host;
 	bool success = TRUE;
 
-	enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, ADDR_TYPE_REGULAR);
+	enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+														   ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, &host))
 	{
 		if (!this->ifmap->publish_device_ip(this->ifmap, host))
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.am b/src/libcharon/plugins/tnc_pdp/Makefile.am
index 3478c5b30..fcda7d76f 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.am
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius \
 	-I$(top_srcdir)/src/libtncif \
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index ef05275b7..bfd8cf820 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -420,6 +420,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -435,7 +437,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius \
 	-I$(top_srcdir)/src/libtncif \
diff --git a/src/libcharon/plugins/uci/Makefile.am b/src/libcharon/plugins/uci/Makefile.am
index 134ced0e3..296c8db04 100644
--- a/src/libcharon/plugins/uci/Makefile.am
+++ b/src/libcharon/plugins/uci/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 2c031383a..a1c64ca1b 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/unity/Makefile.am b/src/libcharon/plugins/unity/Makefile.am
index 38923e068..1244cb317 100644
--- a/src/libcharon/plugins/unity/Makefile.am
+++ b/src/libcharon/plugins/unity/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 4f0a7e736..00bb1498c 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -430,7 +432,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/updown/Makefile.am b/src/libcharon/plugins/updown/Makefile.am
index f03f4744c..f8738adee 100644
--- a/src/libcharon/plugins/updown/Makefile.am
+++ b/src/libcharon/plugins/updown/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 619d17a0e..863e14430 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 96282bee0..e51caab10 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -1,7 +1,8 @@
 /*
  * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -21,7 +22,6 @@
 #include "updown_listener.h"
 
 #include <utils/process.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <config/child_cfg.h>
 
@@ -205,25 +205,47 @@ static void push_vip_env(private_updown_listener_t *this, ike_sa_t *ike_sa,
 	enumerator->destroy(enumerator);
 }
 
+#define	PORT_BUF_LEN	12
+
 /**
  * Determine proper values for port env variable
  */
-static u_int16_t get_port(traffic_selector_t *me,
-						  traffic_selector_t *other, bool local)
+static char* get_port(traffic_selector_t *me, traffic_selector_t *other,
+					  char *port_buf, bool local)
 {
+	uint16_t port, to, from;
+
 	switch (max(me->get_protocol(me), other->get_protocol(other)))
 	{
 		case IPPROTO_ICMP:
 		case IPPROTO_ICMPV6:
 		{
-			u_int16_t port = me->get_from_port(me);
-
-			port = max(port, other->get_from_port(other));
-			return local ? traffic_selector_icmp_type(port)
-						 : traffic_selector_icmp_code(port);
+			port = max(me->get_from_port(me), other->get_from_port(other));
+			snprintf(port_buf, PORT_BUF_LEN, "%u",
+					 local ? traffic_selector_icmp_type(port)
+						   : traffic_selector_icmp_code(port));
+			return port_buf;
 		}
 	}
-	return local ? me->get_from_port(me) : other->get_from_port(other);
+	if (local)
+	{
+		from = me->get_from_port(me);
+		to   = me->get_to_port(me);
+	}
+	else
+	{
+		from = other->get_from_port(other);
+		to   = other->get_to_port(other);
+	}
+	if (from == to || (from == 0 && to == 65535))
+	{
+		snprintf(port_buf, PORT_BUF_LEN, "%u", from);
+	}
+	else
+	{
+		snprintf(port_buf, PORT_BUF_LEN, "%u:%u", from, to);
+	}
+	return port_buf;
 }
 
 /**
@@ -241,6 +263,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 	int out;
 	FILE *shell;
 	process_t *process;
+	char port_buf[PORT_BUF_LEN];
 	char *envp[128] = {};
 
 	me = ike_sa->get_my_host(ike_sa);
@@ -265,8 +288,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 			 config->get_name(config));
 	if (up)
 	{
-		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												   me, &iface))
+		if (charon->kernel->get_interface(charon->kernel, me, &iface))
 		{
 			cache_iface(this, child_sa->get_reqid(child_sa), iface);
 		}
@@ -289,25 +311,29 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 			 ike_sa->get_unique_id(ike_sa));
 	push_env(envp, countof(envp), "PLUTO_ME=%H", me);
 	push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa));
-	if (my_ts->to_subnet(my_ts, &host, &mask))
+	if (!my_ts->to_subnet(my_ts, &host, &mask))
 	{
-		push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
-		host->destroy(host);
+		DBG1(DBG_CHD, "updown approximates local TS %R "
+					  "by next larger subnet", my_ts);
 	}
-	push_env(envp, countof(envp), "PLUTO_MY_PORT=%u",
-			 get_port(my_ts, other_ts, TRUE));
+	push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
+	host->destroy(host);
+	push_env(envp, countof(envp), "PLUTO_MY_PORT=%s",
+			 get_port(my_ts, other_ts, port_buf, TRUE));
 	push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u",
 			 my_ts->get_protocol(my_ts));
 	push_env(envp, countof(envp), "PLUTO_PEER=%H", other);
 	push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y",
 			 ike_sa->get_other_id(ike_sa));
-	if (other_ts->to_subnet(other_ts, &host, &mask))
+	if (!other_ts->to_subnet(other_ts, &host, &mask))
 	{
-		push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
-		host->destroy(host);
+		DBG1(DBG_CHD, "updown approximates remote TS %R "
+					  "by next larger subnet", other_ts);
 	}
-	push_env(envp, countof(envp), "PLUTO_PEER_PORT=%u",
-			 get_port(my_ts, other_ts, FALSE));
+	push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
+	host->destroy(host);
+	push_env(envp, countof(envp), "PLUTO_PEER_PORT=%s",
+			 get_port(my_ts, other_ts, port_buf, FALSE));
 	push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u",
 			 other_ts->get_protocol(other_ts));
 	if (ike_sa->has_condition(ike_sa, COND_EAP_AUTHENTICATED) ||
diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am
index c99d23e4e..ca9b49906 100644
--- a/src/libcharon/plugins/vici/Makefile.am
+++ b/src/libcharon/plugins/vici/Makefile.am
@@ -1,6 +1,6 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
@@ -18,6 +18,7 @@ libstrongswan_vici_la_SOURCES = \
 	vici_message.h vici_message.c \
 	vici_builder.h vici_builder.c \
 	vici_dispatcher.h vici_dispatcher.c \
+	vici_cert_info.h vici_cert_info.c \
 	vici_query.h vici_query.c \
 	vici_control.h vici_control.c \
 	vici_config.h vici_config.c \
@@ -38,6 +39,7 @@ ipseclib_LTLIBRARIES = libvici.la
 libvici_la_SOURCES = \
 	vici_message.c vici_message.h \
 	vici_builder.c vici_builder.h \
+	vici_cert_info.h vici_cert_info.c \
 	libvici.c libvici.h
 
 libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -79,3 +81,7 @@ endif
 if USE_PYTHON_EGGS
 SUBDIRS += python
 endif
+
+if USE_PERL_CPAN
+SUBDIRS += perl
+endif
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index 1a7870ae9..86ed00792 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -82,6 +82,7 @@ TESTS = vici_tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
 @USE_RUBY_GEMS_TRUE@am__append_1 = ruby
 @USE_PYTHON_EGGS_TRUE@am__append_2 = python
+@USE_PERL_CPAN_TRUE@am__append_3 = perl
 subdir = src/libcharon/plugins/vici
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -134,9 +135,10 @@ LTLIBRARIES = $(ipseclib_LTLIBRARIES) $(noinst_LTLIBRARIES) \
 	$(plugin_LTLIBRARIES)
 libstrongswan_vici_la_LIBADD =
 am_libstrongswan_vici_la_OBJECTS = vici_socket.lo vici_message.lo \
-	vici_builder.lo vici_dispatcher.lo vici_query.lo \
-	vici_control.lo vici_config.lo vici_cred.lo vici_attribute.lo \
-	vici_authority.lo vici_logger.lo vici_plugin.lo
+	vici_builder.lo vici_dispatcher.lo vici_cert_info.lo \
+	vici_query.lo vici_control.lo vici_config.lo vici_cred.lo \
+	vici_attribute.lo vici_authority.lo vici_logger.lo \
+	vici_plugin.lo
 libstrongswan_vici_la_OBJECTS = $(am_libstrongswan_vici_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -150,7 +152,8 @@ libstrongswan_vici_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 @MONOLITHIC_TRUE@am_libstrongswan_vici_la_rpath =
 libvici_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-am_libvici_la_OBJECTS = vici_message.lo vici_builder.lo libvici.lo
+am_libvici_la_OBJECTS = vici_message.lo vici_builder.lo \
+	vici_cert_info.lo libvici.lo
 libvici_la_OBJECTS = $(am_libvici_la_OBJECTS)
 am__EXEEXT_1 = vici_tests$(EXEEXT)
 am__dirstamp = $(am__leading_dot)dirstamp
@@ -270,7 +273,7 @@ am__tty_colors = { \
     std=''; \
   fi; \
 }
-DIST_SUBDIRS = ruby python
+DIST_SUBDIRS = ruby python perl
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -509,6 +512,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -524,7 +529,7 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
@@ -538,6 +543,7 @@ libstrongswan_vici_la_SOURCES = \
 	vici_message.h vici_message.c \
 	vici_builder.h vici_builder.c \
 	vici_dispatcher.h vici_dispatcher.c \
+	vici_cert_info.h vici_cert_info.c \
 	vici_query.h vici_query.c \
 	vici_control.h vici_control.c \
 	vici_config.h vici_config.c \
@@ -553,6 +559,7 @@ ipseclib_LTLIBRARIES = libvici.la
 libvici_la_SOURCES = \
 	vici_message.c vici_message.h \
 	vici_builder.c vici_builder.h \
+	vici_cert_info.h vici_cert_info.c \
 	libvici.c libvici.h
 
 libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -578,7 +585,7 @@ vici_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la
 
-SUBDIRS = $(am__append_1) $(am__append_2)
+SUBDIRS = $(am__append_1) $(am__append_2) $(am__append_3)
 all: all-recursive
 
 .SUFFIXES:
@@ -739,6 +746,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_attribute.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_authority.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_cert_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_control.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_cred.Plo@am__quote@
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index b9531d8a5..52929bd74 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -258,7 +258,8 @@ Initiates an SA while streaming _control-log_ events.
 
 	{
 		child = <CHILD_SA configuration name to initiate>
-		timeout = <timeout in seconds before returning>
+		ike = <optional IKE_SA configuraiton name to find child under>
+		timeout = <timeout in ms before returning>
 		init-limits = <whether limits may prevent initiating the CHILD_SA>
 		loglevel = <loglevel to issue "control-log" events for>
 	} => {
@@ -266,6 +267,9 @@ Initiates an SA while streaming _control-log_ events.
 		errmsg = <error string on failure or timeout>
 	}
 
+The default timeout of 0 waits indefinitely for a result, and a timeout value
+of -1 returns a result immediately.
+
 ### terminate() ###
 
 Terminates an SA while streaming _control-log_ events.
@@ -275,19 +279,40 @@ Terminates an SA while streaming _control-log_ events.
 		ike = <terminate an IKE_SA by configuration name>
 		child_id = <terminate a CHILD_SA by its reqid>
 		ike_id = <terminate an IKE_SA by its unique id>
-		timeout = <timeout in seconds before returning>
+		timeout = <timeout in ms before returning>
 		loglevel = <loglevel to issue "control-log" events for>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure or timeout>
 	}
 
+The default timeout of 0 waits indefinitely for a result, and a timeout value
+of -1 returns a result immediately.
+
+### redirect() ###
+
+Redirect a client-initiated IKE_SA to another gateway.  Only for IKEv2 and if
+supported by the peer.
+
+	{
+		ike = <redirect an IKE_SA by configuration name>
+		ike-id = <redirect an IKE_SA by its unique id>
+		peer-ip = <redirect an IKE_SA with matching peer IP, may also be a
+				   subnet in CIDR notation or an IP range>
+		peer-id = <redirect an IKE_SA with matching peer identity, may contain
+				   wildcards>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
 ### install() ###
 
 Install a trap, drop or bypass policy defined by a CHILD_SA config.
 
 	{
 		child = <CHILD_SA configuration name to install>
+		ike = <optional IKE_SA configuraiton name to find child under>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure>
@@ -361,7 +386,9 @@ call includes all certificates known by the daemon, not only those loaded
 over vici.
 
 	{
-		type = <certificate type to filter for, or ANY>
+		type = <certificate type to filter for, X509|X509_AC|X509_CRL|
+												OCSP_RESPONSE|PUBKEY  or ANY>
+		flag = <X.509 certificate flag to filter for, NONE|CA|AA|OCSP or ANY>
 		subject = <set to list only certificates having subject>
 	} => {
 		# completes after streaming list-cert events
@@ -419,7 +446,8 @@ Unload a previously loaded connection definition by name.
 Load a certificate into the daemon.
 
 	{
-		type = <certificate type, X509|X509CA|X509AA|X509CRL|X509AC>
+		type = <certificate type, X509|X509_AC|X509_CRL>
+		flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
 		data = <PEM or DER encoded certificate data>
 	} => {
 		success = <yes or no>
@@ -544,6 +572,16 @@ List the currently loaded pools.
 		}
 	}
 
+### get-algorithms() ###
+
+List currently loaded algorithms and their implementation.
+
+	{} => {
+		<algorithm type> = {
+			<algorithm> = <plugin providing the implementation>
+		}
+	}
+
 ## Server-issued events ##
 
 Based on the packet layer, the vici plugin raises event messages using named
@@ -588,8 +626,10 @@ command.
 			version = <IKE version, 1 or 2>
 			state = <IKE_SA state name>
 			local-host = <local IKE endpoint address>
+			local-port = <local IKE endpoint port>
 			local-id = <local IKE identity>
 			remote-host = <remote IKE endpoint address>
+			remote-port = <remote IKE endpoint port>
 			remote-id = <remote IKE identity>
 			remote-xauth-id = <remote XAuth identity, if XAuth-authenticated>
 			remote-eap-id = <remote EAP identity, if EAP-authenticated>
@@ -735,9 +775,13 @@ The _list-cert_ event is issued to stream loaded certificates during an active
 _list-certs_ command.
 
 	{
-		type = <certificate type>
+		type = <certificate type, X509|X509_AC|X509_CRL|OCSP_RESPONSE|PUBKEY>
+		flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
 		has_privkey = <set if a private key for the certificate is available>
 		data = <ASN1 encoded certificate data>
+		subject = <subject string if defined and certificate type is PUBKEY>
+		not-before = <time string if defined and certificate type is PUBKEY>
+		not-after  = <time string if defined and certificate type is PUBKEY>
 	}
 
 ### list-authority ###
@@ -763,7 +807,7 @@ information during an active_list-authorities_ command.
 The _ike-updown_ event is issued when an IKE_SA is established or terminated.
 
 	{
-		up = <yes or no>
+		up = <set if up event>
 		<IKE_SA config name> = {
 			<same data as in the list-sas event, but without child-sas section>
 		}
@@ -789,7 +833,7 @@ The _ike-rekey_ event is issued when an IKE_SA is rekeyed.
 The _child-updown_ event is issued when a CHILD_SA is established or terminated.
 
 	{
-		up = <yes or no>
+		up = <set if up event>
 		<IKE_SA config name> = {
 			<same data as in the list-sas event, but with only the affected
 			 CHILD_SA in the child-sas section>
@@ -1068,3 +1112,43 @@ dictionaries. Objects returned by the library use OrderedDicts.
 
 For more details about the Python egg refer to the comments in the Python source
 code.
+
+# Vici::Session Perl CPAN module #
+
+The _Vici::Session Perl CPAN module_ is a pure Perl implementation of the VICI
+protocol to implement client applications. It is provided in the _perl_
+subdirectory, and gets built and installed if strongSwan has been
+ _./configure_'d with_--enable-vici_ and _--enable-perl-cpan_.
+
+The _Vici::Session_ module provides a _new()_ constructor for a high level
+interface, the underlying _Vici::Packet_ and _Vici::Transport_ classes are
+usually not required to build Perl applications using VICI. The _Vici::Session_
+class provides methods for the supported VICI commands. The auxiliare
+ _Vici::Message_ class is used to encode configuration parameters sent to
+the daemon and decode data returned by the daemon.
+
+## Connecting to the daemon ##
+
+	use IO::Socket::UNIX;
+	use Vici::Session;
+	use Vici::Message;
+
+	my $socket = IO::Socket::UNIX->new(
+			Type => SOCK_STREAM,
+			Peer => '/var/run/charon.vici',
+	) or die "Vici socket: $!";
+
+	my $session = Vici::Session->new($socket);
+
+## A simple client request ##
+
+An example to print the daemon version information is as simple as:
+
+	my $version = $session->version()->hash();
+
+	foreach my $key ('daemon', 'version', 'sysname', 'release', 'machine' ) {
+		print $version->{$key}, " ";
+	}
+
+The _Vici::Session_ methods are explained in the perl/Vici-Session/README.pod
+document.
diff --git a/src/libcharon/plugins/vici/perl/Makefile.am b/src/libcharon/plugins/vici/perl/Makefile.am
new file mode 100644
index 000000000..9bc6262ac
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Makefile.am
@@ -0,0 +1,27 @@
+EXTRA_DIST = \
+	Vici-Session/Changes \
+	Vici-Session/Makefile.PL \
+	Vici-Session/MANIFEST \
+	Vici-Session/README.pod \
+	Vici-Session/t/Vici-Session.t \
+	Vici-Session/lib/Vici/Message.pm \
+	Vici-Session/lib/Vici/Packet.pm \
+	Vici-Session/lib/Vici/Session.pm \
+	Vici-Session/lib/Vici/Transport.pm
+
+all-local: Vici-Session/pm_to_blib
+
+Vici-Session/Makefile: $(srcdir)/Vici-Session/Makefile.PL
+	(cd $(srcdir)/Vici-Session; $(PERL) Makefile.PL)
+
+Vici-Session/pm_to_blib: $(EXTRA_DIST) $(srcdir)/Vici-Session/Makefile
+	(cd $(srcdir)/Vici-Session; make)
+
+clean-local:
+	(cd $(srcdir)/Vici-Session; [ ! -f Makefile ] || make clean)
+
+if PERL_CPAN_INSTALL
+install-exec-local: Vici-Session/pm_to_blib
+	(cd $(srcdir)/Vici-Session; make install)
+endif
+
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
new file mode 100644
index 000000000..550d3e980
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -0,0 +1,567 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/vici/perl
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+EXTRA_DIST = \
+	Vici-Session/Changes \
+	Vici-Session/Makefile.PL \
+	Vici-Session/MANIFEST \
+	Vici-Session/README.pod \
+	Vici-Session/t/Vici-Session.t \
+	Vici-Session/lib/Vici/Message.pm \
+	Vici-Session/lib/Vici/Packet.pm \
+	Vici-Session/lib/Vici/Session.pm \
+	Vici-Session/lib/Vici/Transport.pm
+
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/perl/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/vici/perl/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+@PERL_CPAN_INSTALL_FALSE@install-exec-local:
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-local mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-exec-local
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am all-local check check-am clean clean-generic \
+	clean-libtool clean-local cscopelist-am ctags-am distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-local install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags-am uninstall uninstall-am
+
+
+all-local: Vici-Session/pm_to_blib
+
+Vici-Session/Makefile: $(srcdir)/Vici-Session/Makefile.PL
+	(cd $(srcdir)/Vici-Session; $(PERL) Makefile.PL)
+
+Vici-Session/pm_to_blib: $(EXTRA_DIST) $(srcdir)/Vici-Session/Makefile
+	(cd $(srcdir)/Vici-Session; make)
+
+clean-local:
+	(cd $(srcdir)/Vici-Session; [ ! -f Makefile ] || make clean)
+
+@PERL_CPAN_INSTALL_TRUE@install-exec-local: Vici-Session/pm_to_blib
+@PERL_CPAN_INSTALL_TRUE@	(cd $(srcdir)/Vici-Session; make install)
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/Changes b/src/libcharon/plugins/vici/perl/Vici-Session/Changes
new file mode 100644
index 000000000..0c30328fd
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/Changes
@@ -0,0 +1,6 @@
+Revision history for Perl extension Vici::Session.
+
+0.9  Tue Nov 17 11:45:21 2015
+	- original version; created by h2xs 1.23 with options
+		-X -n Vici::Session
+
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/MANIFEST b/src/libcharon/plugins/vici/perl/Vici-Session/MANIFEST
new file mode 100644
index 000000000..c19032a08
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/MANIFEST
@@ -0,0 +1,9 @@
+Changes
+Makefile.PL
+MANIFEST
+README.pod
+t/Vici-Session.t
+lib/Vici/Session.pm
+lib/Vici/Message.pm
+lib/Vici/Packet.pm
+lib/Vici/Transport.pm
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/Makefile.PL b/src/libcharon/plugins/vici/perl/Vici-Session/Makefile.PL
new file mode 100644
index 000000000..65f494557
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/Makefile.PL
@@ -0,0 +1,11 @@
+use ExtUtils::MakeMaker;
+# See lib/ExtUtils/MakeMaker.pm for details of how to influence
+# the contents of the Makefile that is written.
+WriteMakefile(
+    NAME              => 'Vici::Session',
+    VERSION_FROM      => 'lib/Vici/Session.pm', # finds $VERSION
+    PREREQ_PM         => {}, # e.g., Module::Name => 1.1
+    ($] >= 5.005 ?     ## Add these new keywords supported since 5.005
+      (ABSTRACT_FROM  => 'lib/Vici/Session.pm', # retrieve abstract from module
+       AUTHOR         => 'Andreas Steffen <andreas.steffen@>strongswan.org') : ()),
+);
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
new file mode 100644
index 000000000..de374aa11
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
@@ -0,0 +1,649 @@
+
+=head1 NAME
+
+Vici::Session - Perl binding for the strongSwan VICI configuration interface
+
+=head1 DESCRIPTION
+
+The Vici::Session module allows a Perl script to communicate with the open
+source strongSwan IPsec daemon (https://www.strongswan.org) via the documented
+Versatile IKE Configuration Interface (VICI). VICI allows the configuration,
+management and monitoring of multiple IPsec connections.
+
+=head1 INSTALLATION
+
+To install this module type the following:
+
+  perl Makefile.PL
+  make
+  make install
+
+=head1 DEPENDENCIES
+
+This module requires the standard networking module:
+
+  IO::Socket::UNIX
+
+=head1 METHODS
+
+The following examples show the use of the Vici::Session interface in a
+a "net-net" connection between the VPN gateways "moon" and "sun".
+
+=cut
+
+use strict;
+use warnings;
+use IO::Socket::UNIX;
+use Vici::Message;
+use Vici::Session;
+
+my $moon_key = "-----BEGIN RSA PRIVATE KEY-----\n" .
+    "MIIEowIBAAKCAQEApHwF+sUXQdH+WwYzdPMzpjuwhGGvHgsmBah1IQsPsddL9gZy" .
+    "gerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IABr87L9JAva56EHIAiUMuG8WizVbIK" .
+    "IhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6xvMJbwHLi0h7BUO9tBVLPy72YeGNB" .
+    "Y6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL0DgYP/n2maPEJGEivTFunkJD/mJ8" .
+    "DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhyYK5wsATB1ANeAtlFfgH+wsuHjZwt" .
+    "TJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47nwIDAQABAoIBAAQDXqX6rxGVDQ6t" .
+    "fQ3qbSUuKaVhOMOT5A6ZSJpQycY+CYVsLNkMoXszX6lUDhlH/Letcme03OAKMM77" .
+    "JGn9wYzHj+RcrDuE95Y2bh/oh1dWhaGeoW6pbSwpvD0FzkQKpANlOCr/5bltVxmb" .
+    "nHftI/sGBvUQGIal53ORE+jgV1+SK6I0oAIWiCpU2oZpYMAtp7WxOngsAJaGtk//" .
+    "m2ckH+T8uVHwe9gJ9HZnEk+Io6BXScMNNrsbd2J+pQ75wQXfzHEzHAj+ElhWzhtc" .
+    "5XefqHw/DfpPDX/lby3VoSoagqzsVuUx7LylgzIDxTsb9HQVOLjDzOQ+vn22Xj7g" .
+    "UCEjwLkCgYEA2EZguuzJdxRIWBSnIyzpCzfqm0EgybpeLuJVfzWla0yKWI6AeLhW" .
+    "cr+7o9UE8nCQHVffIrgjWksjc/S5FhzC9TYSHpPa8TPgebTQK4VxnP9Qkh/XRpJj" .
+    "CqgJ8k2MYleHYxa+AKQv/25yNhLdowkNR0iU1kbiaYRJMP0WigAmdAUCgYEAwrJe" .
+    "Y3LAawOkalJFMFTtLXsqZE91TFwMt9TQnzysGH3Q6+9N+qypS5KCes650+qgrwBV" .
+    "RmRNc1ixylToP3B0BKY5OD/BwMx1L/zSO3x7I4ZDasCu33y2ukGLcVSxrxTPTGdd" .
+    "8fhEiVO1CDXcM08/kSeQa049J8ziY3M+4NDchlMCgYEAw2VCO1923Tjb64gtQOBw" .
+    "ZAxOz5nVz6urL9yYted33is2yq9kbqzMnbuQAYKRh6Ae9APRuwJ2HjvIehjdp5aw" .
+    "pO4HDM00f7sI0ayEbu2PKfKZjotp6X6UMKqE4f8iGC9QSDvhyZ6NJs9YLHZ6+7NP" .
+    "5dkzbyx3njFAFxxxYpikJSkCgYByShB8YlUvvKCcRRUWbRQZWa6l2brqizJwCz43" .
+    "636+lcS5au2klAyBL0zm2Elfa+DNOe3U93Y7mrorIrJ+4v1H6We3bD3JdnvoIooq" .
+    "n0UNsngKx3cf++6r4WQAsA3pz9ZsbFVKgEmDL58aZbuQZxnSlJ4DT5c4sN3IMVOc" .
+    "1x5MvwKBgHudAaLvioIopBpYzOsK2OtEn6NQ7SwH0BLEUulHysaHqan5oExmM1bm" .
+    "YeivMDc9hj0YLXA47ryQHTx4vB5Nv3TI/LoUG6VrCvZvocQOXe/n7TguwAjJj7ef" .
+    "E55Gy8lXDRENyJMP1vif3N2iH8eQ1ASf8k/+gnBNkjSlYSSQUDfV\n" .
+    "-----END RSA PRIVATE KEY-----\n";
+ 
+my $moon_cert = "-----BEGIN CERTIFICATE-----\n" .
+    "MIIEIjCCAwqgAwIBAgIBKzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ" .
+    "MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS" .
+    "b290IENBMB4XDTE0MDgyNzE0NDQ1NloXDTE5MDgyNjE0NDQ1NlowRjELMAkGA1UE" .
+    "BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u" .
+    "c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk" .
+    "fAX6xRdB0f5bBjN08zOmO7CEYa8eCyYFqHUhCw+x10v2BnKB6vOlMzW+9DiRtG68" .
+    "TdJlYt/24oRuJBX0gAGvzsv0kC9rnoQcgCJQy4bxaLNVsgoiFCVlzxLaYjABbQlz" .
+    "oSaegm/2PoX+1UP37rG8wlvAcuLSHsFQ720FUs/LvZh4Y0FjoKhvgKs64U4nIAJ7" .
+    "MnuL29n5fM5+dem7uovQOBg/+faZo8QkYSK9MW6eQkP+YnwN5zItNBxyGwKPbXXw" .
+    "Ey5/aqNWfhRY8IEG6HJgrnCwBMHUA14C2UV+Af7Cy4eNnC1Mmu7TmUYcFncXaFn0" .
+    "87ryFUdshlmPpIHxfjufAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQE" .
+    "AwIDqDAdBgNVHQ4EFgQU2CY9Iex8275aOQxbcMsDgCHerhMwbQYDVR0jBGYwZIAU" .
+    "XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK" .
+    "ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC" .
+    "AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggr" .
+    "BgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u" .
+    "b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCpnj6Nc+PuPLPi" .
+    "4E3g5hyJkr5VZy7SSglcs1uyVP2mfwj6JR9SLd5+JOsL1aCTm0y9qLcqdbHBxG8i" .
+    "LNLtwVKU3s1hV4EIO3saHe4XUEjxN9bDtLWEoeq5ipmYX8RJ/fXKR8/8vurBARP2" .
+    "xu1+wqwEhymp4jBmF0LVovT1+o+GhH66zIJnx3zR9BtfMkaeL6804hrx2ygeopeo" .
+    "buGvMDQ8HcnMB9OU7Y8fK0oY1kULl6hf36K5ApPA6766sRRKRvBSKlmViKSQTq5a" .
+    "4c8gCWAZbtdT+N/fa8hKDlZt5q10EgjTqDfGTj50xKvAneq7XdfKmYYGnIWoNLY9" .
+    "ga8NOzX8\n" .
+    "-----END CERTIFICATE-----\n";
+
+my $ca_cert = "-----BEGIN CERTIFICATE-----\n" .
+    "MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ" .
+    "MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS" .
+    "b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE" .
+    "BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u" .
+    "Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y" .
+    "X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f" .
+    "FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc" .
+    "4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/" .
+    "7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5" .
+    "gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr" .
+    "K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG" .
+    "A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j" .
+    "BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw" .
+    "FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv" .
+    "b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in" .
+    "Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n" .
+    "1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y" .
+    "vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si" .
+    "7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa" .
+    "Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=\n" .
+    "-----END CERTIFICATE-----\n" ;
+
+=pod
+
+The VICI interface requires a UNIX socket in order to communicate with the
+strongSwan charon daemon:
+
+  use IO::Socket::UNIX;
+
+  my $socket = IO::Socket::UNIX->new(
+          Type => SOCK_STREAM,
+          Peer => '/var/run/charon.vici',
+  ) or die "Vici socket: $!";
+
+=cut
+
+my $socket = IO::Socket::UNIX->new(
+            Type => SOCK_STREAM,
+            Peer => '/var/run/charon.vici',
+) or die "Vici socket: $!";
+
+=over
+
+=item new()
+
+creates a new Vici::Session object.
+
+  use Vici::Session;
+  use Vici::Message;
+
+  my $session = Vici::Session->new($socket);
+
+=cut
+
+my $session = Vici::Session->new($socket);
+
+=item version()
+
+returns daemon and system specific version information.
+
+  my $version = $session->version();
+
+=cut
+
+print "----- version -----\n";
+my $version = $session->version();
+print $version->raw(), "\n";
+
+=item load_cert()
+
+loads a certificate into the daemon.
+
+  my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
+  my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-cert -----\n";
+my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
+my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_key()
+
+loads a private key into the daemon.
+
+  my %vars = ( type => 'RSA', data => $moon_key );
+  my ($res, $errmsg) = $session->load_key(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-key -----\n";
+%vars = ( type => 'RSA', data => $moon_key );
+($res, $errmsg) = $session->load_key(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_shared()
+
+loads a shared IKE PSK, EAP or XAuth secret into the daemon.
+
+  my @owners = ( 'carol' );
+  my %vars = ( type => 'EAP', data => 'Ar3etTnp', owners => \@owners );
+  my ($res, $errmsg) = $session->load_shared(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-shared -----\n";
+my @owners = ( 'carol' );
+%vars = ( type => 'EAP', data => 'Ar3etTnp', owners => \@owners );
+($res, $errmsg) = $session->load_shared(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_authority()
+
+loads a single certification authority definition into the daemon. An existing
+authority with the same name gets replaced.
+
+  my @crl_uris  = ( 'http://crl.strongswan.org/strongswan.crl' );
+  my @ocsp_uris = ( 'http://ocsp.strongswan.org:8880' );
+
+  my %auth = (
+      cacert => $ca_cert,
+      crl_uris  => \@crl_uris,
+      ocsp_uris => \@ocsp_uris
+  );
+
+  my %vars = ( strongswan => \%auth );
+  my ($res, $errmsg) = $session->load_authority(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-authority -----\n";
+my @crl_uris  = ( 'http://crl.strongswan.org/strongswan.crl' );
+my @ocsp_uris = ( 'http://ocsp.strongswan.org:8880' );
+my %auth = (
+    cacert => $ca_cert,
+    crl_uris  => \@crl_uris,
+    ocsp_uris => \@ocsp_uris
+);
+%vars = ( strongswan => \%auth );
+($res, $errmsg) = $session->load_authority(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_conn()
+
+loads a single connection definition into the daemon. An existing connection
+with the same name gets updated or replaced.
+
+  my @l_ts = ( '10.1.0.0/16' );
+  my @r_ts = ( '10.2.0.0/16' );
+  my @esp  = ( 'aes128gcm128-modp3072' );
+
+  my %child = (
+      local_ts  => \@l_ts,
+      remote_ts => \@r_ts,
+      esp_proposals => \@esp,
+  );
+  my %children = ( 'net-net' => \%child );
+
+  my @l_addrs = ( '192.168.0.1' );
+  my @r_addrs = ( '192.168.0.2' );
+  my @l_certs = ( $moon_cert );
+  my %l = ( auth => 'pubkey', id => 'moon.strongswan.org',
+            certs => \@l_certs );
+  my %r = ( auth => 'pubkey', id => 'sun.strongswan.org');
+  my @ike = ( 'aes128-sha256-modp3072' );
+
+  my %gw = (
+      version => 2,
+      mobike => 'no',
+      proposals => \@ike,
+      local_addrs  => \@l_addrs,
+      remote_addrs => \@r_addrs,
+      local  => \%l,
+      remote => \%r,
+      children => \%children,
+  );
+
+  my %vars = ( 'gw-gw' => \%gw);
+  my ($res, $errmsg) = $session->load_conn(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-conn -----\n";
+my @l_ts = ( '10.1.0.0/16' );
+my @r_ts = ( '10.2.0.0/16' );
+my @esp  = ( 'aes128gcm128-modp3072' );
+my %child = (
+    local_ts  => \@l_ts,
+    remote_ts => \@r_ts,
+    esp_proposals => \@esp,
+);  
+my %children = ( 'net-net' => \%child );
+my @l_addrs = ( '192.168.0.1' );
+my @r_addrs = ( '192.168.0.2' );
+my @l_certs = ( $moon_cert );
+my %l = ( auth => 'pubkey', id => 'moon.strongswan.org', certs => \@l_certs );
+my %r = ( auth => 'pubkey', id => 'sun.strongswan.org');
+my @ike = ( 'aes128-sha256-modp3072' );
+my %gw = (
+    version => 2,
+    mobike => 'no',
+    proposals => \@ike,
+    local_addrs  => \@l_addrs,
+    remote_addrs => \@r_addrs,
+    local  => \%l,
+    remote => \%r,
+    children => \%children,
+);
+%vars = ( 'gw-gw' => \%gw);
+($res, $errmsg) = $session->load_conn(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item get_algorithms()
+
+lists all currently loaded algorithms and their implementation.
+
+  my $algs = $session->get_algorithms();
+
+=cut
+
+print "----- get-algorithms -----\n";
+my $algs = $session->get_algorithms();
+print $algs->raw(), "\n";
+
+=item get_conns()
+
+returns a list of connection names loaded exclusively over VICI, not including
+connections found in other backends.
+
+  my $conns = $session->get_conns();
+
+=cut
+
+print "----- get-conns -----\n";
+my $conns = $session->get_conns();
+print $conns->raw(), "\n";
+
+=item list_conns()
+
+lists currently loaded connections by streaming list-conn events. This
+call includes all connections known by the daemon, not only those loaded
+over VICI.
+
+  my $conns = $session->list_conns();
+
+  foreach my $conn (@$conns)
+  {
+      print $conn->raw(), "\n";
+  }
+
+=cut
+
+print "----- list-conns -----\n";
+$conns = $session->list_conns();
+foreach my $conn (@$conns)
+{
+    print $conn->raw(), "\n";
+}
+
+=item initiate()
+
+initiates a CHILD_SA.
+
+  my %vars = ( child => 'net-net' );
+  my($res, $errmsg) = $session->initiate(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- initiate -----\n";
+%vars = ( child => 'net-net' );
+($res, $errmsg) = $session->initiate(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item list_sas()
+
+lists currently active IKE_SAs and associated CHILD_SAs by streaming list-sa
+events.
+
+  my $sas = $session->list_sas();
+
+  foreach my $sa (@$sas)
+  {
+      print $sa->raw(), "\n";
+  }
+
+=cut
+
+print "----- list-sas -----\n";
+my $sas = $session->list_sas();
+foreach my $sa (@$sas)
+{
+    print $sa->raw(), "\n";
+}
+
+=item get_authorities()
+
+returns a list of currently loaded certification authority names.
+
+  my $auths = $session->get_authorities();
+
+=cut
+
+print "----- get-authorities -----\n";
+my $auths = $session->get_authorities();
+print $auths->raw(), "\n";
+
+=item list-authorities()
+
+lists currently loaded certification authority information by streaming
+list-authority events.
+
+  my $auths = $session->list_authorities();
+
+  foreach my $auth (@$auths)
+  {
+      print $auth->raw(), "\n";
+  }
+
+=cut
+
+print "----- list-authorities -----\n";
+$auths = $session->list_authorities();
+foreach my $auth (@$auths)
+{
+    print $auth->raw(), "\n";
+}
+
+=item list_certs()
+
+lists currently loaded certificates by streaming list-cert events. This
+call includes all certificates known by the daemon, not only those loaded
+over VICI.
+
+  my %vars = ( subject => 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' );
+  my $certs = $session->list_certs(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- list-certs -----\n";
+%vars = ( subject => 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' );
+my $certs = $session->list_certs(Vici::Message->new(\%vars));
+foreach my $cert (@$certs)
+{
+    my $hash = $cert->hash();
+    print $hash->{'type'}, ": ", length($hash->{'data'}), ' bytes',
+          $hash->{'has_privkey'} ? ', has private key' : '', "\n";
+}
+
+=item stats()
+
+returns IKE daemon statistics and load information.
+
+  my $stats = $session->stats();
+
+=cut
+
+print "----- stats -----\n";
+my $stats = $session->stats();
+print $stats->raw(), "\n";
+
+=item terminate()
+
+terminates an IKE_SA or CHILD_SA.
+
+  my %vars = ( ike => 'gw-gw' );
+  my ($res, $errmsg) = $session->terminate(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- terminate -----\n";
+%vars = ( ike => 'gw-gw' );
+($res, $errmsg) = $session->terminate(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item install()
+
+installs a trap, drop or bypass policy defined by a CHILD_SA config.
+
+  my %vars = ( child => 'net-net' );
+  my ($res, $errmsg) = $session->install(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- install -----\n";
+%vars = ( child => 'net-net' );
+($res, $errmsg) = $session->install(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item list_policies()
+
+lists currently installed trap, drop and bypass policies by streaming
+list-policy events.
+
+  my %vars = ( trap => 'yes' );
+  my $pols = $session->list_policies(Vici::Message->new(\%vars));
+
+  foreach my $pol (@$pols)
+  {
+      print $pol->raw(), "\n";
+  }
+
+=cut
+
+print "----- list-policies -----\n";
+%vars = ( trap => 'yes' );
+my $pols = $session->list_policies(Vici::Message->new(\%vars));
+foreach my $pol (@$pols)
+{
+    print $pol->raw(), "\n";
+}
+
+=item uninstall()
+
+uninstalls a trap, drop or bypass policy defined by a CHILD_SA config.
+
+  my %vars = ( child => 'net-net' );
+  my ($res, $errmsg) = $session->uninstall(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- uninstall -----\n";
+%vars = ( child => 'net-net' );
+($res, $errmsg) = $session->uninstall(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item reload_settings()
+
+reloads strongswan.conf settings and all plugins supporting configuration
+reload.
+
+  my ($res, $errmsg) = $session->reload_settings();
+  print $res ? "ok\n" : "failed: $errmsg\n";
+
+=cut
+
+print "----- reload-settings -----\n";
+($res, $errmsg) = $session->reload_settings();
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item unload_conn()
+
+unloads a previously loaded connection definition by name.
+
+  my %vars = ( name => 'gw-gw' );
+  my ($res, $errmsg) = $session->unload_conn(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- unload-conn -----\n";
+%vars = ( name => 'gw-gw' );
+($res, $errmsg) = $session->unload_conn(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item unload_authority()
+
+unloads a previously loaded certification authority definition by name.
+
+  my %vars = ( name => 'strongswan' );
+  my ($res, $errmsg) = $session->unload_authority(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- unload-authority -----\n";
+%vars = ( name => 'strongswan' );
+($res, $errmsg) = $session->unload_authority(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item clear_creds()
+
+clears all loaded certificate, private key and shared key credentials. This
+affects only credentials loaded over vici, but additionally flushes the
+credential cache.
+
+  my ($res, $errmsg) = $session->clear_creds();
+
+=cut
+
+print "----- clear-creds -----\n";
+($res, $errmsg) = $session->clear_creds();
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_pool()
+
+loads an in-memory virtual IP and configuration attribute pool. Existing
+pools with the same name get updated, if possible.
+
+  my %pool = ( addrs => '10.3.0.0/23' );
+  my %vars = ( my_pool => \%pool );
+  my ($res, $errmsg) = $session->load_pool(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-pool -----\n";
+my %pool = ( addrs => '10.3.0.0/23' );
+%vars = ( my_pool => \%pool );
+($res, $errmsg) = $session->load_pool(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item get_pools()
+
+lists the currently loaded pools.
+
+  my $pools = $session->get_pools();
+
+=cut
+
+print "----- get-pools -----\n";
+my $pools = $session->get_pools();
+print $pools->raw(), "\n";
+
+=item unload_pool()
+
+unloads a previously loaded virtual IP and configuration attribute pool.
+Unloading fails for pools with leases currently online.
+
+  my %vars = ( name => 'my_pool' );
+  my ($res, $errmsg) = $session->unload_pool(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- unload-pool -----\n";
+%vars = ( name => 'my_pool' );
+($res, $errmsg) = $session->unload_pool(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=back
+
+=cut
+
+# close vici socket
+close($socket);
+
+=head1 COPYRIGHT AND LICENCE
+
+Copyright (c) 2015 Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm
new file mode 100644
index 000000000..b0a942c04
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm
@@ -0,0 +1,256 @@
+package Vici::Message;
+
+our $VERSION = '0.9';
+
+use strict;
+use Vici::Transport;
+
+use constant {
+    SECTION_START => 1,   # Begin a new section having a name
+    SECTION_END   => 2,   # End a previously started section
+    KEY_VALUE     => 3,   # Define a value for a named key in the section
+    LIST_START    => 4,   # Begin a named list for list items
+    LIST_ITEM     => 5,   # Define an unnamed item value in the current list
+    LIST_END      => 6,   # End a previously started list
+};
+
+sub new {
+    my $class = shift;
+    my $hash = shift;
+    my $self = {
+        Hash => $hash
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub from_data {
+    my $class = shift;
+    my $data = shift;
+    my %hash = ();
+
+    parse($data, \%hash);
+
+    my $self = {
+        Hash => \%hash
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub hash {
+    my $self = shift;
+    return $self->{Hash};
+}
+
+sub encode {
+    my $self = shift;
+    return encode_hash($self->{'Hash'});
+}
+
+sub raw {
+    my $self = shift;
+    return '{' . raw_hash($self->{'Hash'}) . '}';
+}
+
+sub result {
+    my $self = shift;
+    my $result = $self->{'Hash'};
+    return ($result->{'success'} eq 'yes', $result->{'errmsg'});
+}
+
+# private functions
+
+sub parse {
+    my $data = shift;
+    my $hash = shift;
+
+    while (length($data) > 0)
+    {
+        (my $type, $data) = unpack('Ca*', $data);
+
+		if ($type == SECTION_END)
+		{
+			return $data;
+		}
+
+        (my $key, $data) = unpack('C/a*a*', $data);
+
+        if ( $type == KEY_VALUE )
+        {
+            (my $value, $data) = unpack('n/a*a*', $data);
+            $hash->{$key} = $value;
+        }
+        elsif ( $type == SECTION_START )
+        {
+            my %section = ();
+            $data = parse($data, \%section);
+            $hash->{$key} = \%section;
+        }
+        elsif ( $type == LIST_START )
+        {
+            my @list = ();
+            my $more = 1;
+
+            while (length($data) > 0 and $more)
+            {
+                (my $type, $data) = unpack('Ca*', $data);
+                if ( $type == LIST_ITEM )
+                {
+                    (my $value, $data) = unpack('n/a*a*', $data);
+                    push(@list, $value);
+                }
+                elsif ( $type == LIST_END )
+                {
+                    $more = 0;
+                    $hash->{$key} = \@list;
+                 }
+                else
+                {
+                    die "message parsing error: ", $type, "\n"
+                }
+            }
+        }
+        else
+        {
+            die "message parsing error: ", $type, "\n"
+        }
+    }
+    return $data;
+}
+
+
+sub encode_hash {
+    my $hash = shift;
+    my $enc = '';
+
+    while ( (my $key, my $value) = each %$hash )
+    {
+        if ( ref($value) eq 'HASH' )
+        {
+            $enc .= pack('CC/a*', SECTION_START, $key);
+            $enc .= encode_hash($value);
+            $enc .= pack('C', SECTION_END);
+        }
+        elsif ( ref($value) eq 'ARRAY' )
+        {
+            $enc .= pack('CC/a*', LIST_START, $key);
+
+            foreach my $item (@$value)
+            {
+                $enc .= pack('Cn/a*', LIST_ITEM, $item);
+            }
+            $enc .= pack('C', LIST_END);
+        }
+        else
+        {
+            $enc .= pack('CC/a*n/a*', KEY_VALUE, $key, $value);
+        }
+    }
+    return $enc;
+}
+
+sub raw_hash {
+    my $hash = shift;
+    my $raw = '';
+    my $first = 1;
+
+    while ( (my $key, my $value) = each %$hash )
+    {
+        if ($first)
+        {
+            $first = 0;
+        }
+        else
+        {
+            $raw .= ' ';
+        }
+        $raw .= $key;
+
+        if ( ref($value) eq 'HASH' )
+        {
+            $raw .= '{' . raw_hash($value) . '}';
+        }
+        elsif ( ref($value) eq 'ARRAY' )
+        {
+            my $first_item = 1;
+            $raw .= '[';
+
+            foreach my $item (@$value)
+            {
+                if ($first_item)
+                {
+                    $first_item = 0;
+                }
+                else
+                {
+                    $raw .= ' ';
+                }
+                $raw .= $item;
+            }
+            $raw .= ']';
+        }
+        else
+        {
+            $raw .= '=' . $value;
+        }
+    }
+    return $raw;
+}
+
+1;
+__END__
+=head1 NAME
+
+Vici::Message - Perl extension for building and parsing strongSwan VICI messages
+
+=head1 SYNOPSIS
+
+  use Vici::Message;
+
+=head1 DESCRIPTION
+
+The Vici::Message module is needed by the Vici::Session module to build and
+parse messages used in the communication with the open source strongSwan IPsec
+daemon (https://www.strongswan.com) via the documented Versatile IKE
+Configuration Interface (VICI). VICI allows the configuration, management and
+monitoring of multiple IPsec connections.
+
+=head2 EXPORT
+
+None by default.
+
+=head1 SEE ALSO
+
+strongSwan Wiki:  https://wiki.strongswan.org/projects/strongswan/wiki/Vici
+
+strongSwan Mailing list:  users@lists.strongswan.org
+
+=head1 AUTHOR
+
+Andreas Steffen, E<lt>andreas.steffen@strongswan.orgE<gt>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2015 by Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+=cut
+
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Packet.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Packet.pm
new file mode 100644
index 000000000..9e2b77fa5
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Packet.pm
@@ -0,0 +1,191 @@
+package Vici::Packet;
+
+our $VERSION = '0.9';
+
+use strict;
+use Vici::Message;
+use Vici::Transport;
+
+use constant {
+    CMD_REQUEST      => 0,  # Named request message
+    CMD_RESPONSE     => 1,  # Unnamed response message for a request
+    CMD_UNKNOWN      => 2,  # Unnamed response if requested command is unknown
+    EVENT_REGISTER   => 3,  # Named event registration request
+    EVENT_UNREGISTER => 4,  # Named event de-registration request
+    EVENT_CONFIRM    => 5,  # Unnamed confirmation for event (de-)registration
+    EVENT_UNKNOWN    => 6,  # Unnamed response if event (de-)registration failed
+    EVENT            => 7,  # Named event message
+};
+
+sub new {
+    my $class = shift;
+    my $socket = shift;
+    my $self = {
+       Transport => Vici::Transport->new($socket),
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub request {
+    my ($self, $command, $vars) = @_;
+    my $out = defined $vars ? $vars->encode() : '';
+    my $request = pack('CC/a*a*', CMD_REQUEST, $command, $out);
+    $self->{'Transport'}->send($request);
+
+    my $response = $self->{'Transport'}->receive();
+    my ($type, $data) = unpack('Ca*', $response);
+
+    if ( $type == CMD_RESPONSE )
+    {
+        return Vici::Message->from_data($data);
+    }
+    elsif ( $type == CMD_UNKNOWN )
+    {
+        die "unknown command '", $command, "'\n"
+    }
+    else
+    {
+        die "invalid response type\n"
+    }
+}
+
+sub register {
+    my ($self, $event) = @_;
+    my $request = pack('CC/a*a*', EVENT_REGISTER, $event);
+    $self->{'Transport'}->send($request);
+
+    my $response = $self->{'Transport'}->receive();
+    my ($type, $data) = unpack('Ca*', $response);
+
+    if ( $type == EVENT_CONFIRM )
+    {
+        return
+    }
+    elsif ( $type == EVENT_UNKNOWN )
+    {
+        die "unknown event '", $event, "'\n"
+    }
+    else
+    {
+        die "invalid response type\n"
+    }
+}
+
+sub unregister {
+    my ($self, $event) = @_;
+    my $request = pack('CC/a*a*', EVENT_UNREGISTER, $event);
+    $self->{'Transport'}->send($request);
+
+    my $response = $self->{'Transport'}->receive();
+    my ($type, $data) = unpack('Ca*', $response);
+
+    if ( $type == EVENT_CONFIRM )
+    {
+        return
+    }
+    elsif ( $type == EVENT_UNKNOWN )
+    {
+        die "unknown event '", $event, "'\n"
+    }
+    else
+    {
+        die "invalid response type\n"
+    }
+}
+
+sub streamed_request {
+    my ($self, $command, $event, $vars) = @_;
+    my $out = defined $vars ? $vars->encode() : '';
+
+   $self->register($event);
+
+    my $request = pack('CC/a*a*', CMD_REQUEST, $command, $out);
+    $self->{'Transport'}->send($request);
+    my $more = 1;
+    my @list = ();
+
+    while ($more)
+    {
+        my $response = $self->{'Transport'}->receive();
+        my ($type, $data) = unpack('Ca*', $response);
+
+        if ( $type == EVENT )
+        {
+           (my $event_name, $data) = unpack('C/a*a*', $data);
+
+           if ($event_name eq $event)
+           {
+               my $msg = Vici::Message->from_data($data);
+               push(@list, $msg);
+           }
+        }
+        elsif ( $type == CMD_RESPONSE )
+        {
+            $self->unregister($event);
+            $more = 0;
+        }
+        else
+        {
+            $self->unregister($event);
+            die "invalid response type\n";
+        }
+    }
+    return \@list;
+}
+
+1;
+__END__
+=head1 NAME
+
+Vici::Packet - Perl extension for sending and receiving strongSwan VICI packets
+
+=head1 SYNOPSIS
+
+  use Vici::Packet;
+
+=head1 DESCRIPTION
+
+The Vici::Packet module is needed by the Vici::Session module to send and
+receive packets used in the communication with the open source strongSwan IPsec
+daemon (https://www.strongswan.com) via the documented Versatile IKE
+Configuration Interface (VICI). VICI allows the configuration, management and
+monitoring of multiple IPsec connections.
+
+=head2 EXPORT
+
+None by default.
+
+=head1 SEE ALSO
+
+strongSwan Wiki:  https://wiki.strongswan.org/projects/strongswan/wiki/Vici
+
+strongSwan Mailing list:  users@lists.strongswan.org
+
+=head1 AUTHOR
+
+Andreas Steffen, E<lt>andreas.steffen@strongswan.orgE<gt>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2015 by Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+=cut
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
new file mode 100644
index 000000000..78197136a
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
@@ -0,0 +1,204 @@
+package Vici::Session;
+
+our $VERSION = '0.9';
+
+use strict;
+use Vici::Packet;
+use Vici::Message;
+
+sub new {
+    my $class = shift;
+    my $socket = shift;
+    my $self = {
+        Packet => Vici::Packet->new($socket),
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub version {
+    return request('version', @_);
+}
+
+sub stats {
+    return request('stats', @_);
+}
+
+sub reload_settings {
+   return request_res('reload-settings', @_);
+}
+
+sub initiate {
+    return request_vars_res('initiate', @_);
+}
+
+sub terminate {
+    return request_vars_res('terminate', @_);
+}
+
+sub redirect {
+    return request_vars_res('redirect', @_);
+}
+
+sub install {
+    return request_vars_res('install', @_);
+}
+
+sub uninstall {
+    return request_vars_res('uninstall', @_);
+}
+
+sub list_sas {
+    return request_list('list-sas', 'list-sa', @_);
+}
+
+sub list_policies {
+    return request_list('list-policies', 'list-policy', @_);
+}
+
+sub list_conns {
+    return request_list('list-conns', 'list-conn', @_);
+}
+
+sub get_conns {
+    return request('get-conns', @_);
+}
+
+sub list_certs {
+    return request_list('list-certs', 'list-cert', @_);
+}
+
+sub list_authorities {
+    return request_list('list-authorities', 'list-authority', @_);
+}
+
+sub get_authorities {
+    return request('get-authorities', @_);
+}
+
+sub load_conn {
+    return request_vars_res('load-conn', @_);
+}
+
+sub unload_conn {
+    return request_vars_res('unload-conn', @_);
+}
+
+sub load_cert {
+    return request_vars_res('load-cert', @_);
+}
+
+sub load_key {
+    return request_vars_res('load-key', @_);
+}
+
+sub load_shared {
+    return request_vars_res('load-shared', @_);
+}
+
+sub clear_creds {
+   return request_res('clear-creds', @_);
+}
+
+sub load_authority {
+    return request_vars_res('load-authority', @_);
+}
+
+sub unload_authority {
+    return request_vars_res('unload-authority', @_);
+}
+
+sub load_pool {
+    return request_vars_res('load-pool', @_);
+}
+
+sub unload_pool {
+    return request_vars_res('unload-pool', @_);
+}
+
+sub get_pools {
+    return request('get-pools', @_);
+}
+
+sub get_algorithms {
+    return request('get-algorithms', @_);
+}
+
+# Private functions
+
+sub request {
+    my ($command, $self) = @_;
+    return $self->{'Packet'}->request($command);
+}
+
+sub request_res {
+    my ($command, $self) = @_;
+    my $msg = $self->{'Packet'}->request($command);
+    return $msg->result();
+}
+
+sub request_vars_res {
+    my ($command, $self, $vars) = @_;
+    my $msg = $self->{'Packet'}->request($command, $vars);
+    return $msg->result();
+}
+
+sub request_list {
+    my ($command, $event, $self, $vars) = @_;
+    return $self->{'Packet'}->streamed_request($command, $event, $vars);
+}
+
+1;
+__END__
+=head1 NAME
+
+Vici::Session - Perl binding for the strongSwan VICI configuration interface
+
+=head1 SYNOPSIS
+
+  use Vici::Session;
+
+=head1 DESCRIPTION
+
+The Vici::Session module allows a Perl script to communicate with the open
+source strongSwan IPsec daemon (https://www.strongswan.com) via the documented
+Versatile IKE Configuration Interface (VICI). VICI allows the configuration,
+management and monitoring of multiple IPsec connections.
+
+=head2 EXPORT
+
+None by default.
+
+=head1 SEE ALSO
+
+strongSwan Wiki:  https://wiki.strongswan.org/projects/strongswan/wiki/Vici
+
+strongSwan Mailing list:  users@lists.strongswan.org
+
+=head1 AUTHOR
+
+Andreas Steffen, E<lt>andreas.steffen@strongswan.orgE<gt>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2015 by Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+=cut
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Transport.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Transport.pm
new file mode 100644
index 000000000..6524bf76d
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Transport.pm
@@ -0,0 +1,88 @@
+package Vici::Transport;
+
+our $VERSION = '0.9';
+
+use strict;
+
+sub new {
+    my $class = shift;
+    my $self = {
+        Socket => shift,
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub send {
+    my ($self, $data) = @_;
+    my $packet = pack('N/a*', $data);
+    $self->{'Socket'}->send($packet);
+}
+
+sub receive {
+    my $self = shift;
+    my $packet_header;
+    my $data;
+
+    $self->{'Socket'}->recv($packet_header, 4);
+    my $packet_len = unpack('N', $packet_header);
+    $self->{'Socket'}->recv($data, $packet_len);
+	return $data;
+}
+
+1;
+__END__
+=head1 NAME
+
+Vici::Transport - Perl extension for communicating via a strongSwan VICI socket
+
+=head1 SYNOPSIS
+
+  use Vici::Transport;
+
+=head1 DESCRIPTION
+
+The Vici::Transport module is needed by the Vici::Packet module to send
+and receive packets over the UNIX socket used in the communication with the
+open source strongSwan IPsec daemon (https://www.strongswan.com) via the
+documented Versatile IKE Configuration Interface (VICI). VICI allows the
+onfiguration, management and monitoring of multiple IPsec connections.
+
+=head2 EXPORT
+
+None by default.
+
+=head1 SEE ALSO
+
+strongSwan Wiki:  https://wiki.strongswan.org/projects/strongswan/wiki/Vici
+
+strongSwan Mailing list:  users@lists.strongswan.org
+
+=head1 AUTHOR
+
+Andreas Steffen, E<lt>andreas.steffen@strongswan.orgE<gt>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2015 by Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+=cut
+
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/t/Vici-Session.t b/src/libcharon/plugins/vici/perl/Vici-Session/t/Vici-Session.t
new file mode 100644
index 000000000..4c321f3e1
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/t/Vici-Session.t
@@ -0,0 +1,18 @@
+# Before 'make install' is performed this script should be runnable with
+# 'make test'. After 'make install' it should work as 'perl Vici-Session.t'
+
+#########################
+
+# change 'tests => 1' to 'tests => last_test_to_print';
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+BEGIN { use_ok('Vici::Session') };
+
+#########################
+
+# Insert your test code below, the Test::More module is use()ed here so read
+# its man page ( perldoc Test::More ) for help writing this test script.
+
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index eb4bab6ca..894a7e275 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -351,6 +351,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py
index 283e3d13d..66de8590a 100644
--- a/src/libcharon/plugins/vici/python/vici/session.py
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -53,6 +53,14 @@ class Session(object):
         """
         return self.handler.streamed_request("terminate", "control-log", sa)
 
+    def redirect(self, sa):
+        """Redirect an IKE_SA.
+
+        :param sa: the SA to redirect
+        :type sa: dict
+        """
+        self.handler.request("redirect", sa)
+
     def install(self, policy):
         """Install a trap, drop or bypass policy defined by a CHILD_SA config.
 
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index bf81e5395..b87d83de4 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -329,6 +329,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index f8169add0..018f50766 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -505,6 +505,12 @@ module Vici
     end
 
     ##
+    # Redirect an IKE_SA.
+    def redirect(options)
+      check_success(@transp.request("redirect", Message.new(options)))
+    end
+
+    ##
     # Install a shunt/route policy.
     def install(policy)
       check_success(@transp.request("install", Message.new(policy)))
diff --git a/src/libcharon/plugins/vici/vici_cert_info.c b/src/libcharon/plugins/vici/vici_cert_info.c
new file mode 100644
index 000000000..2f278de5e
--- /dev/null
+++ b/src/libcharon/plugins/vici/vici_cert_info.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "vici_cert_info.h"
+
+/**
+ * Legacy vici certificate types and directories created by swanctl
+ */
+typedef struct {
+
+	/** Certificate type string used in legacy vici messages */
+	char *type_str;
+	/** Base certificate type */
+	certificate_type_t type;
+	/** X.509 flag */
+	x509_flag_t flag;
+} cert_type_t;
+
+static cert_type_t cert_types[] = {
+	{ "x509",     CERT_X509,           X509_NONE        },
+	{ "x509ca",   CERT_X509,           X509_CA          },
+	{ "x509ocsp", CERT_X509,           X509_OCSP_SIGNER },
+	{ "x509aa",   CERT_X509,           X509_AA          },
+	{ "x509ac",   CERT_X509_AC,        X509_NONE        },
+	{ "x509crl",  CERT_X509_CRL,       X509_NONE        },
+	{ "pubkey",   CERT_TRUSTED_PUBKEY, X509_NONE        },
+};
+
+bool vici_cert_info_from_str(char *type_str, certificate_type_t *type,
+							 x509_flag_t *flag)
+{
+	int i;
+
+	for (i = 0; i < countof(cert_types); i++)
+	{
+		if (strcaseeq(type_str, cert_types[i].type_str))
+		{
+			*type = cert_types[i].type;
+			*flag = cert_types[i].flag;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
diff --git a/src/libcharon/plugins/vici/vici_cert_info.h b/src/libcharon/plugins/vici/vici_cert_info.h
new file mode 100644
index 000000000..e2a8c4d9f
--- /dev/null
+++ b/src/libcharon/plugins/vici/vici_cert_info.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup vici_cert_info vici_cert_info
+ * @{ @ingroup vici
+ */
+
+#ifndef VICI_CERT_INFO_H_
+#define VICI_CERT_INFO_H_
+
+typedef struct vici_cert_info_t vici_cert_info_t;
+
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+
+bool vici_cert_info_from_str(char *type_str, certificate_type_t *type,
+							 x509_flag_t *flag);
+
+#endif /** VICI_CERT_INFO_H_ @}*/
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index ea6d2958a..6ebbedc47 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -2,7 +2,8 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Tobias Brunner
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -45,9 +46,12 @@
 
 #include <daemon.h>
 #include <threading/rwlock.h>
+#include <threading/rwlock_condvar.h>
 #include <collections/array.h>
 #include <collections/linked_list.h>
 
+#include <pubkey_cert.h>
+
 #include <stdio.h>
 
 /**
@@ -98,6 +102,21 @@ struct private_vici_config_t {
 	rwlock_t *lock;
 
 	/**
+	 * Condvar used to snyc running actions
+	 */
+	rwlock_condvar_t *condvar;
+
+	/**
+	 * True while we run or undo a start action
+	 */
+	bool handling_actions;
+
+	/**
+	 * Credential backend managed by VICI used for our certificates
+	 */
+	vici_cred_t *cred;
+
+	/**
 	 * Auxiliary certification authority information
 	 */
 	vici_authority_t *authority;
@@ -218,6 +237,24 @@ typedef struct {
 } request_data_t;
 
 /**
+ * Auth config data
+ */
+typedef struct {
+	request_data_t *request;
+	auth_cfg_t *cfg;
+	u_int32_t round;
+} auth_data_t;
+
+/**
+ * Clean up auth config data
+ */
+static void free_auth_data(auth_data_t *data)
+{
+	DESTROY_IF(data->cfg);
+	free(data);
+}
+
+/**
  * Data associated to a peer config
  */
 typedef struct {
@@ -311,7 +348,7 @@ static void log_auth(auth_cfg_t *auth)
 static void log_peer_data(peer_data_t *data)
 {
 	enumerator_t *enumerator;
-	auth_cfg_t *auth;
+	auth_data_t *auth;
 	host_t *host;
 
 	DBG2(DBG_CFG, "  version = %u", data->version);
@@ -350,7 +387,7 @@ static void log_peer_data(peer_data_t *data)
 	while (enumerator->enumerate(enumerator, &auth))
 	{
 		DBG2(DBG_CFG, "  local:");
-		log_auth(auth);
+		log_auth(auth->cfg);
 	}
 	enumerator->destroy(enumerator);
 
@@ -358,7 +395,7 @@ static void log_peer_data(peer_data_t *data)
 	while (enumerator->enumerate(enumerator, &auth))
 	{
 		DBG2(DBG_CFG, "  remote:");
-		log_auth(auth);
+		log_auth(auth->cfg);
 	}
 	enumerator->destroy(enumerator);
 }
@@ -368,10 +405,8 @@ static void log_peer_data(peer_data_t *data)
  */
 static void free_peer_data(peer_data_t *data)
 {
-	data->local->destroy_offset(data->local,
-									offsetof(auth_cfg_t, destroy));
-	data->remote->destroy_offset(data->remote,
-									offsetof(auth_cfg_t, destroy));
+	data->local->destroy_function(data->local, (void*)free_auth_data);
+	data->remote->destroy_function(data->remote, (void*)free_auth_data);
 	data->children->destroy_offset(data->children,
 									offsetof(child_cfg_t, destroy));
 	data->proposals->destroy_offset(data->proposals,
@@ -461,14 +496,6 @@ static void free_child_data(child_data_t *data)
 }
 
 /**
- * Auth config data
- */
-typedef struct {
-	request_data_t *request;
-	auth_cfg_t *cfg;
-} auth_data_t;
-
-/**
  * Common proposal parsing
  */
 static bool parse_proposal(linked_list_t *list, protocol_id_t proto, chunk_t v)
@@ -537,7 +564,7 @@ CALLBACK(parse_ts, bool,
 	linked_list_t *out, chunk_t v)
 {
 	char buf[128], *protoport, *sep, *port = "", *end;
-	traffic_selector_t *ts;
+	traffic_selector_t *ts = NULL;
 	struct protoent *protoent;
 	struct servent *svc;
 	long int p;
@@ -630,6 +657,22 @@ CALLBACK(parse_ts, bool,
 	{
 		ts = traffic_selector_create_dynamic(proto, from, to);
 	}
+	else if (strchr(buf, '-'))
+	{
+		host_t *lower, *upper;
+		ts_type_t type;
+
+		if (host_create_from_range(buf, &lower, &upper))
+		{
+			type = (lower->get_family(lower) == AF_INET) ?
+						 		TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+			ts = traffic_selector_create_from_bytes(proto, type,
+								lower->get_address(lower), from,
+								upper->get_address(upper), to);
+			lower->destroy(lower);
+			upper->destroy(upper);
+		}
+	}
 	else
 	{
 		ts = traffic_selector_create_from_cidr(buf, proto, from, to);
@@ -948,9 +991,14 @@ CALLBACK(parse_auth, bool,
 	{
 		return FALSE;
 	}
-	if (strcaseeq(buf, "pubkey"))
+	if (strpfx(buf, "ike:") ||
+		strpfx(buf, "pubkey") ||
+		strpfx(buf, "rsa") ||
+		strpfx(buf, "ecdsa") ||
+		strpfx(buf, "bliss"))
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+		cfg->add_pubkey_constraints(cfg, buf, TRUE);
 		return TRUE;
 	}
 	if (strcaseeq(buf, "psk"))
@@ -970,8 +1018,16 @@ CALLBACK(parse_auth, bool,
 	}
 	if (strcasepfx(buf, "eap"))
 	{
+		char *pos;
+
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
 
+		pos = strchr(buf, ':');
+		if (pos)
+		{
+			*pos = 0;
+			cfg->add_pubkey_constraints(cfg, pos + 1, FALSE);
+		}
 		type = eap_vendor_type_from_string(buf);
 		if (type)
 		{
@@ -1053,6 +1109,7 @@ CALLBACK(parse_group, bool,
 static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
 {
 	vici_authority_t *authority;
+	vici_cred_t *cred;
 	certificate_t *cert;
 
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -1064,6 +1121,8 @@ static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
 			authority = auth->request->this->authority;
 			authority->check_for_hash_and_url(authority, cert);
 		}
+		cred = auth->request->this->cred;
+		cert = cred->add_cert(cred, cert);
 		auth->cfg->add(auth->cfg, rule, cert);
 		return TRUE;
 	}
@@ -1089,6 +1148,27 @@ CALLBACK(parse_cacerts, bool,
 }
 
 /**
+ * Parse raw public keys
+ */
+CALLBACK(parse_pubkeys, bool,
+	auth_data_t *auth, chunk_t v)
+{
+	vici_cred_t *cred;
+	certificate_t *cert;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+							  BUILD_BLOB_PEM, v, BUILD_END);
+	if (cert)
+	{
+		cred = auth->request->this->cred;
+		cert = cred->add_cert(cred, cert);
+		auth->cfg->add(auth->cfg, AUTH_RULE_SUBJECT_CERT, cert);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Parse revocation status
  */
 CALLBACK(parse_revocation, bool,
@@ -1283,6 +1363,7 @@ CALLBACK(auth_li, bool,
 		{ "groups",			parse_group,		auth->cfg					},
 		{ "certs",			parse_certs,		auth						},
 		{ "cacerts",		parse_cacerts,		auth						},
+		{ "pubkeys",		parse_pubkeys,		auth						},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1299,6 +1380,7 @@ CALLBACK(auth_kv, bool,
 		{ "eap_id",			parse_eap_id,		auth->cfg					},
 		{ "xauth_id",		parse_xauth_id,		auth->cfg					},
 		{ "revocation",		parse_revocation,	auth->cfg					},
+		{ "round",			parse_uint32,		&auth->round				},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1502,40 +1584,62 @@ CALLBACK(peer_sn, bool,
 	if (strcasepfx(name, "local") ||
 		strcasepfx(name, "remote"))
 	{
-		auth_data_t auth = {
+		enumerator_t *enumerator;
+		linked_list_t *auths;
+		auth_data_t *auth, *current;
+		auth_rule_t rule;
+		certificate_t *cert;
+		pubkey_cert_t *pubkey_cert;
+		identification_t *id;
+		bool default_id = FALSE;
+
+		INIT(auth,
 			.request = peer->request,
 			.cfg = auth_cfg_create(),
-		};
+		);
 
-		if (!message->parse(message, ctx, NULL, auth_kv, auth_li, &auth))
+		if (!message->parse(message, ctx, NULL, auth_kv, auth_li, auth))
 		{
-			auth.cfg->destroy(auth.cfg);
+			free_auth_data(auth);
 			return FALSE;
 		}
+		id = auth->cfg->get(auth->cfg, AUTH_RULE_IDENTITY);
 
-		if (!auth.cfg->get(auth.cfg, AUTH_RULE_IDENTITY))
+		enumerator = auth->cfg->create_enumerator(auth->cfg);
+		while (enumerator->enumerate(enumerator, &rule, &cert))
 		{
-			identification_t *id;
-			certificate_t *cert;
-
-			cert = auth.cfg->get(auth.cfg, AUTH_RULE_SUBJECT_CERT);
-			if (cert)
+			if (rule == AUTH_RULE_SUBJECT_CERT && !default_id)
 			{
-				id = cert->get_subject(cert);
-				DBG1(DBG_CFG, "  id not specified, defaulting to cert id '%Y'",
-					 id);
-				auth.cfg->add(auth.cfg, AUTH_RULE_IDENTITY, id->clone(id));
+				if (id == NULL)
+				{
+					id = cert->get_subject(cert);
+					DBG1(DBG_CFG, "  id not specified, defaulting to"
+								  " cert subject '%Y'", id);
+					auth->cfg->add(auth->cfg, AUTH_RULE_IDENTITY, id->clone(id));
+					default_id = TRUE;
+				}
+				else if (cert->get_type(cert) == CERT_TRUSTED_PUBKEY &&
+						 id->get_type != ID_ANY)
+				{
+					/* set the subject of all raw public keys to the id */
+					pubkey_cert = (pubkey_cert_t*)cert;
+					pubkey_cert->set_subject(pubkey_cert, id);
+				}
 			}
 		}
+		enumerator->destroy(enumerator);
 
-		if (strcasepfx(name, "local"))
+		auths = strcasepfx(name, "local") ? peer->local : peer->remote;
+		enumerator = auths->create_enumerator(auths);
+		while (enumerator->enumerate(enumerator, &current))
 		{
-			peer->local->insert_last(peer->local, auth.cfg);
-		}
-		else
-		{
-			peer->remote->insert_last(peer->remote, auth.cfg);
+			if (auth->round < current->round)
+			{
+				break;
+			}
 		}
+		auths->insert_before(auths, enumerator, auth);
+		enumerator->destroy(enumerator);
 		return TRUE;
 	}
 	peer->request->reply = create_reply("invalid section: %s", name);
@@ -1578,7 +1682,7 @@ static u_int32_t find_reqid(child_cfg_t *cfg)
 }
 
 /**
- * Perform start actions associated to a child config
+ * Perform start actions associated with a child config
  */
 static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
 							 child_cfg_t *child_cfg)
@@ -1611,19 +1715,20 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
 }
 
 /**
- * Undo start actions associated to a child config
+ * Undo start actions associated with a child config
  */
-static void clear_start_action(private_vici_config_t *this,
+static void clear_start_action(private_vici_config_t *this, char *peer_name,
 							   child_cfg_t *child_cfg)
 {
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
-	u_int32_t id = 0, *del;
-	array_t *ids = NULL;
+	u_int32_t id = 0, others;
+	array_t *ids = NULL, *ikeids = NULL;
 	char *name;
 
 	name = child_cfg->get_name(child_cfg);
+
 	switch (child_cfg->get_start_action(child_cfg))
 	{
 		case ACTION_RESTART:
@@ -1631,29 +1736,72 @@ static void clear_start_action(private_vici_config_t *this,
 													charon->controller, TRUE);
 			while (enumerator->enumerate(enumerator, &ike_sa))
 			{
+				if (!streq(ike_sa->get_name(ike_sa), peer_name))
+				{
+					continue;
+				}
+				others = id = 0;
 				children = ike_sa->create_child_sa_enumerator(ike_sa);
 				while (children->enumerate(children, &child_sa))
 				{
-					if (streq(name, child_sa->get_name(child_sa)))
+					if (child_sa->get_state(child_sa) != CHILD_DELETING)
 					{
-						id = child_sa->get_unique_id(child_sa);
-						array_insert_create(&ids, ARRAY_TAIL, &id);
+						if (streq(name, child_sa->get_name(child_sa)))
+						{
+							id = child_sa->get_unique_id(child_sa);
+						}
+						else
+						{
+							others++;
+						}
 					}
 				}
 				children->destroy(children);
+
+				if (id && !others)
+				{
+					/* found matching children only, delete full IKE_SA */
+					id = ike_sa->get_unique_id(ike_sa);
+					array_insert_create_value(&ikeids, sizeof(id),
+											  ARRAY_TAIL, &id);
+				}
+				else
+				{
+					children = ike_sa->create_child_sa_enumerator(ike_sa);
+					while (children->enumerate(children, &child_sa))
+					{
+						if (streq(name, child_sa->get_name(child_sa)))
+						{
+							id = child_sa->get_unique_id(child_sa);
+							array_insert_create_value(&ids, sizeof(id),
+													  ARRAY_TAIL, &id);
+						}
+					}
+					children->destroy(children);
+				}
 			}
 			enumerator->destroy(enumerator);
 
 			if (array_count(ids))
 			{
-				while (array_remove(ids, ARRAY_HEAD, &del))
+				while (array_remove(ids, ARRAY_HEAD, &id))
 				{
-					DBG1(DBG_CFG, "closing '%s' #%u", name, *del);
+					DBG1(DBG_CFG, "closing '%s' #%u", name, id);
 					charon->controller->terminate_child(charon->controller,
-														*del, NULL, NULL, 0);
+														id, NULL, NULL, 0);
 				}
 				array_destroy(ids);
 			}
+			if (array_count(ikeids))
+			{
+				while (array_remove(ikeids, ARRAY_HEAD, &id))
+				{
+					DBG1(DBG_CFG, "closing IKE_SA #%u", id);
+					charon->controller->terminate_ike(charon->controller,
+													  id, NULL, NULL, 0);
+				}
+				array_destroy(ikeids);
+			}
 			break;
 		case ACTION_ROUTE:
 			DBG1(DBG_CFG, "uninstalling '%s'", name);
@@ -1687,36 +1835,56 @@ static void clear_start_action(private_vici_config_t *this,
 }
 
 /**
- * Run start actions associated to all child configs of a peer config
+ * Run or undo a start actions associated with a child config
  */
-static void run_start_actions(private_vici_config_t *this, peer_cfg_t *peer_cfg)
+static void handle_start_action(private_vici_config_t *this,
+								peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+								bool undo)
 {
-	enumerator_t *enumerator;
-	child_cfg_t *child_cfg;
+	this->handling_actions = TRUE;
+	this->lock->unlock(this->lock);
 
-	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-	while (enumerator->enumerate(enumerator, &child_cfg))
+	if (undo)
+	{
+		clear_start_action(this, peer_cfg->get_name(peer_cfg), child_cfg);
+	}
+	else
 	{
 		run_start_action(this, peer_cfg, child_cfg);
 	}
-	enumerator->destroy(enumerator);
+
+	this->lock->write_lock(this->lock);
+	this->handling_actions = FALSE;
 }
 
 /**
- * Undo start actions associated to all child configs of a peer config
+ * Run or undo start actions associated with all child configs of a peer config
  */
-static void clear_start_actions(private_vici_config_t *this,
-								peer_cfg_t *peer_cfg)
+static void handle_start_actions(private_vici_config_t *this,
+								 peer_cfg_t *peer_cfg, bool undo)
 {
 	enumerator_t *enumerator;
 	child_cfg_t *child_cfg;
 
+	this->handling_actions = TRUE;
+	this->lock->unlock(this->lock);
+
 	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 	while (enumerator->enumerate(enumerator, &child_cfg))
 	{
-		clear_start_action(this, child_cfg);
+		if (undo)
+		{
+			clear_start_action(this, peer_cfg->get_name(peer_cfg), child_cfg);
+		}
+		else
+		{
+			run_start_action(this, peer_cfg, child_cfg);
+		}
 	}
 	enumerator->destroy(enumerator);
+
+	this->lock->write_lock(this->lock);
+	this->handling_actions = FALSE;
 }
 
 /**
@@ -1727,22 +1895,12 @@ static void replace_children(private_vici_config_t *this,
 {
 	enumerator_t *enumerator;
 	child_cfg_t *child;
+	bool added;
 
-	enumerator = to->create_child_cfg_enumerator(to);
-	while (enumerator->enumerate(enumerator, &child))
+	enumerator = to->replace_child_cfgs(to, from);
+	while (enumerator->enumerate(enumerator, &child, &added))
 	{
-		to->remove_child_cfg(to, enumerator);
-		clear_start_action(this, child);
-		child->destroy(child);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = from->create_child_cfg_enumerator(from);
-	while (enumerator->enumerate(enumerator, &child))
-	{
-		from->remove_child_cfg(from, enumerator);
-		to->add_child_cfg(to, child);
-		run_start_action(this, to, child);
+		handle_start_action(this, to, child, !added);
 	}
 	enumerator->destroy(enumerator);
 }
@@ -1758,6 +1916,10 @@ static void merge_config(private_vici_config_t *this, peer_cfg_t *peer_cfg)
 	bool merged = FALSE;
 
 	this->lock->write_lock(this->lock);
+	while (this->handling_actions)
+	{
+		this->condvar->wait(this->condvar, this->lock);
+	}
 
 	enumerator = this->conns->create_enumerator(this->conns);
 	while (enumerator->enumerate(enumerator, &current))
@@ -1778,10 +1940,10 @@ static void merge_config(private_vici_config_t *this, peer_cfg_t *peer_cfg)
 				DBG1(DBG_CFG, "replaced vici connection: %s",
 					 peer_cfg->get_name(peer_cfg));
 				this->conns->remove_at(this->conns, enumerator);
-				clear_start_actions(this, current);
-				current->destroy(current);
 				this->conns->insert_last(this->conns, peer_cfg);
-				run_start_actions(this, peer_cfg);
+				handle_start_actions(this, current, TRUE);
+				handle_start_actions(this, peer_cfg, FALSE);
+				current->destroy(current);
 			}
 			merged = TRUE;
 			break;
@@ -1793,9 +1955,9 @@ static void merge_config(private_vici_config_t *this, peer_cfg_t *peer_cfg)
 	{
 		DBG1(DBG_CFG, "added vici connection: %s", peer_cfg->get_name(peer_cfg));
 		this->conns->insert_last(this->conns, peer_cfg);
-		run_start_actions(this, peer_cfg);
+		handle_start_actions(this, peer_cfg, FALSE);
 	}
-
+	this->condvar->signal(this->condvar);
 	this->lock->unlock(this->lock);
 }
 
@@ -1828,7 +1990,7 @@ CALLBACK(config_sn, bool,
 	peer_cfg_t *peer_cfg;
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
-	auth_cfg_t *auth_cfg;
+	auth_data_t *auth;
 	proposal_t *proposal;
 	host_t *host;
 	char *str;
@@ -1843,14 +2005,17 @@ CALLBACK(config_sn, bool,
 
 	if (peer.local->get_count(peer.local) == 0)
 	{
-		free_peer_data(&peer);
-		peer.request->reply = create_reply("missing local auth config");
-		return FALSE;
+		INIT(auth,
+			.cfg = auth_cfg_create(),
+		);
+		peer.local->insert_last(peer.local, auth);
 	}
 	if (peer.remote->get_count(peer.remote) == 0)
 	{
-		auth_cfg = auth_cfg_create();
-		peer.remote->insert_last(peer.remote, auth_cfg);
+		INIT(auth,
+			.cfg = auth_cfg_create(),
+		);
+		peer.remote->insert_last(peer.remote, auth);
 	}
 	if (peer.proposals->get_count(peer.proposals) == 0)
 	{
@@ -1926,14 +2091,18 @@ CALLBACK(config_sn, bool,
 						FALSE, NULL, NULL);
 
 	while (peer.local->remove_first(peer.local,
-									(void**)&auth_cfg) == SUCCESS)
+									(void**)&auth) == SUCCESS)
 	{
-		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
+		peer_cfg->add_auth_cfg(peer_cfg, auth->cfg, TRUE);
+		auth->cfg = NULL;
+		free_auth_data(auth);
 	}
 	while (peer.remote->remove_first(peer.remote,
-									 (void**)&auth_cfg) == SUCCESS)
+									 (void**)&auth) == SUCCESS)
 	{
-		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
+		peer_cfg->add_auth_cfg(peer_cfg, auth->cfg, FALSE);
+		auth->cfg = NULL;
+		free_auth_data(auth);
 	}
 	while (peer.children->remove_first(peer.children,
 									   (void**)&child_cfg) == SUCCESS)
@@ -1999,18 +2168,24 @@ CALLBACK(unload_conn, vici_message_t*,
 	}
 
 	this->lock->write_lock(this->lock);
+	while (this->handling_actions)
+	{
+		this->condvar->wait(this->condvar, this->lock);
+	}
 	enumerator = this->conns->create_enumerator(this->conns);
 	while (enumerator->enumerate(enumerator, &cfg))
 	{
 		if (streq(cfg->get_name(cfg), conn_name))
 		{
 			this->conns->remove_at(this->conns, enumerator);
+			handle_start_actions(this, cfg, TRUE);
 			cfg->destroy(cfg);
 			found = TRUE;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->condvar->signal(this->condvar);
 	this->lock->unlock(this->lock);
 
 	if (!found)
@@ -2066,6 +2241,7 @@ METHOD(vici_config_t, destroy, void,
 {
 	manage_commands(this, FALSE);
 	this->conns->destroy_offset(this->conns, offsetof(peer_cfg_t, destroy));
+	this->condvar->destroy(this->condvar);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -2074,7 +2250,8 @@ METHOD(vici_config_t, destroy, void,
  * See header
  */
 vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
-								  vici_authority_t *authority)
+								  vici_authority_t *authority,
+								  vici_cred_t *cred)
 {
 	private_vici_config_t *this;
 
@@ -2090,7 +2267,9 @@ vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
 		.dispatcher = dispatcher,
 		.conns = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.condvar = rwlock_condvar_create(),
 		.authority = authority,
+		.cred = cred,
 	);
 
 	manage_commands(this, TRUE);
diff --git a/src/libcharon/plugins/vici/vici_config.h b/src/libcharon/plugins/vici/vici_config.h
index c3245bf5c..0c237e7de 100644
--- a/src/libcharon/plugins/vici/vici_config.h
+++ b/src/libcharon/plugins/vici/vici_config.h
@@ -26,6 +26,7 @@
 
 #include "vici_dispatcher.h"
 #include "vici_authority.h"
+#include "vici_cred.h"
 
 #include <config/backend.h>
 
@@ -51,9 +52,11 @@ struct vici_config_t {
  *
  * @param dispatcher		dispatcher to receive requests from
  * @param authority			Auxiliary certification authority information
+ * @param cred				in-memory credential backend managed by VICI
  * @return					config backend
  */
 vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
-								  vici_authority_t *authority);
+								  vici_authority_t *authority,
+								  vici_cred_t *cred);
 
 #endif /** VICI_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 752007c24..c526d2fda 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -20,6 +23,7 @@
 
 #include <daemon.h>
 #include <collections/array.h>
+#include <processing/jobs/redirect_job.h>
 
 typedef struct private_vici_control_t private_vici_control_t;
 
@@ -134,7 +138,7 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
 /**
  * Find a peer/child config from a child config name
  */
-static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out)
+static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
 {
 	enumerator_t *enumerator;
 	peer_cfg_t *peer_cfg;
@@ -144,6 +148,10 @@ static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out)
 							charon->backends, NULL, NULL, NULL, NULL, IKE_ANY);
 	while (enumerator->enumerate(enumerator, &peer_cfg))
 	{
+		if (pname && !streq(pname, peer_cfg->get_name(peer_cfg)))
+		{
+			continue;
+		}
 		child_cfg = get_child_from_peer(peer_cfg, name);
 		if (child_cfg)
 		{
@@ -161,15 +169,17 @@ CALLBACK(initiate, vici_message_t*,
 {
 	child_cfg_t *child_cfg = NULL;
 	peer_cfg_t *peer_cfg;
-	char *child;
-	u_int timeout;
+	char *child, *ike;
+	int timeout;
 	bool limits;
+	controller_cb_t log_cb = NULL;
 	log_info_t log = {
 		.dispatcher = this->dispatcher,
 		.id = id,
 	};
 
 	child = request->get_str(request, NULL, "child");
+	ike = request->get_str(request, NULL, "ike");
 	timeout = request->get_int(request, 0, "timeout");
 	limits = request->get_bool(request, FALSE, "init-limits");
 	log.level = request->get_int(request, 1, "loglevel");
@@ -178,16 +188,20 @@ CALLBACK(initiate, vici_message_t*,
 	{
 		return send_reply(this, "missing configuration name");
 	}
+	if (timeout >= 0)
+	{
+		log_cb = (controller_cb_t)log_vici;
+	}
 
 	DBG1(DBG_CFG, "vici initiate '%s'", child);
 
-	child_cfg = find_child_cfg(child, &peer_cfg);
+	child_cfg = find_child_cfg(child, ike, &peer_cfg);
 	if (!child_cfg)
 	{
 		return send_reply(this, "CHILD_SA config '%s' not found", child);
 	}
 	switch (charon->controller->initiate(charon->controller, peer_cfg,
-				child_cfg, (controller_cb_t)log_vici, &log, timeout, limits))
+									child_cfg, log_cb, &log, timeout, limits))
 	{
 		case SUCCESS:
 			return send_reply(this, NULL);
@@ -208,11 +222,13 @@ CALLBACK(terminate, vici_message_t*,
 {
 	enumerator_t *enumerator, *isas, *csas;
 	char *child, *ike, *errmsg = NULL;
-	u_int timeout, child_id, ike_id, current, *del, done = 0;
+	u_int child_id, ike_id, current, *del, done = 0;
+	int timeout;
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
 	array_t *ids;
 	vici_builder_t *builder;
+	controller_cb_t log_cb = NULL;
 	log_info_t log = {
 		.dispatcher = this->dispatcher,
 		.id = id,
@@ -247,6 +263,11 @@ CALLBACK(terminate, vici_message_t*,
 		DBG1(DBG_CFG, "vici terminate CHILD_SA '%s'", child);
 	}
 
+	if (timeout >= 0)
+	{
+		log_cb = (controller_cb_t)log_vici;
+	}
+
 	ids = array_create(sizeof(u_int), 0);
 
 	isas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE);
@@ -296,7 +317,7 @@ CALLBACK(terminate, vici_message_t*,
 		if (child || child_id)
 		{
 			if (charon->controller->terminate_child(charon->controller, *del,
-						(controller_cb_t)log_vici, &log, timeout) == SUCCESS)
+											log_cb, &log, timeout) == SUCCESS)
 			{
 				done++;
 			}
@@ -304,7 +325,7 @@ CALLBACK(terminate, vici_message_t*,
 		else
 		{
 			if (charon->controller->terminate_ike(charon->controller, *del,
-						(controller_cb_t)log_vici, &log, timeout) == SUCCESS)
+											log_cb, &log, timeout) == SUCCESS)
 			{
 				done++;
 			}
@@ -340,6 +361,150 @@ CALLBACK(terminate, vici_message_t*,
 }
 
 /**
+ * Parse a peer-ip specified, which can be a subnet in CIDR notation, a range
+ * or a single IP address.
+ */
+static traffic_selector_t *parse_peer_ip(char *ip)
+{
+	traffic_selector_t *ts;
+	host_t *from, *to;
+	ts_type_t type;
+
+	if (host_create_from_range(ip, &from, &to))
+	{
+		if (to->get_family(to) == AF_INET)
+		{
+			type = TS_IPV4_ADDR_RANGE;
+		}
+		else
+		{
+			type = TS_IPV6_ADDR_RANGE;
+		}
+		ts = traffic_selector_create_from_bytes(0, type,
+												from->get_address(from), 0,
+												to->get_address(to), 0xFFFF);
+		from->destroy(from);
+		to->destroy(to);
+		return ts;
+	}
+	return traffic_selector_create_from_cidr(ip, 0, 0, 0xFFFF);
+}
+
+CALLBACK(redirect, vici_message_t*,
+	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+{
+	enumerator_t *sas;
+	char *ike, *peer_ip, *peer_id, *gw, *errmsg = NULL;
+	u_int ike_id, current, found = 0;
+	identification_t *gateway, *identity = NULL, *other_id;
+	traffic_selector_t *ts = NULL;
+	ike_sa_t *ike_sa;
+	vici_builder_t *builder;
+
+	ike = request->get_str(request, NULL, "ike");
+	ike_id = request->get_int(request, 0, "ike-id");
+	peer_ip = request->get_str(request, NULL, "peer-ip");
+	peer_id = request->get_str(request, NULL, "peer-id");
+	gw = request->get_str(request, NULL, "gateway");
+
+	if (!gw || !(gateway = identification_create_from_string(gw)))
+	{
+		return send_reply(this, "missing target gateway");
+	}
+	switch (gateway->get_type(gateway))
+	{
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+		case ID_FQDN:
+			break;
+		default:
+			return send_reply(this, "unsupported gateway identity");
+	}
+	if (peer_ip)
+	{
+		ts = parse_peer_ip(peer_ip);
+		if (!ts)
+		{
+			return send_reply(this, "invalid peer IP selector");
+		}
+		DBG1(DBG_CFG, "vici redirect IKE_SAs with src %R to %Y", ts,
+			 gateway);
+	}
+	if (peer_id)
+	{
+		identity = identification_create_from_string(peer_id);
+		if (!identity)
+		{
+			DESTROY_IF(ts);
+			return send_reply(this, "invalid peer identity selector");
+		}
+		DBG1(DBG_CFG, "vici redirect IKE_SAs with ID '%Y' to %Y", identity,
+			 gateway);
+	}
+	if (ike_id)
+	{
+		DBG1(DBG_CFG, "vici redirect IKE_SA #%d to '%Y'", ike_id, gateway);
+	}
+	if (ike)
+	{
+		DBG1(DBG_CFG, "vici redirect IKE_SA '%s' to '%Y'", ike, gateway);
+	}
+	if (!peer_ip && !peer_id && !ike && !ike_id)
+	{
+		return send_reply(this, "missing redirect selector");
+	}
+
+	sas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE);
+	while (sas->enumerate(sas, &ike_sa))
+	{
+		if (ike_sa->get_version(ike_sa) != IKEV2)
+		{
+			continue;
+		}
+		current = ike_sa->get_unique_id(ike_sa);
+		if (ike_id && ike_id != current)
+		{
+			continue;
+		}
+		if (ike && !streq(ike, ike_sa->get_name(ike_sa)))
+		{
+			continue;
+		}
+		if (ts && !ts->includes(ts, ike_sa->get_other_host(ike_sa)))
+		{
+			continue;
+		}
+		if (identity)
+		{
+			other_id = ike_sa->get_other_eap_id(ike_sa);
+			if (!other_id->matches(other_id, identity))
+			{
+				continue;
+			}
+		}
+		lib->processor->queue_job(lib->processor,
+				(job_t*)redirect_job_create(ike_sa->get_id(ike_sa), gateway));
+		found++;
+	}
+	sas->destroy(sas);
+
+	builder = vici_builder_create();
+	if (!found)
+	{
+		errmsg = "no matching SAs to redirect found";
+	}
+	builder->add_kv(builder, "success", errmsg ? "no" : "yes");
+	if (errmsg)
+	{
+		builder->add_kv(builder, "errmsg", "%s", errmsg);
+	}
+	gateway->destroy(gateway);
+	DESTROY_IF(identity);
+	DESTROY_IF(ts);
+	return builder->finalize(builder);
+}
+
+/**
  * Find reqid of an existing CHILD_SA
  */
 static u_int32_t find_reqid(child_cfg_t *cfg)
@@ -379,10 +544,11 @@ CALLBACK(install, vici_message_t*,
 {
 	child_cfg_t *child_cfg = NULL;
 	peer_cfg_t *peer_cfg;
-	char *child;
+	char *child, *ike;
 	bool ok;
 
 	child = request->get_str(request, NULL, "child");
+	ike = request->get_str(request, NULL, "ike");
 	if (!child)
 	{
 		return send_reply(this, "missing configuration name");
@@ -390,7 +556,7 @@ CALLBACK(install, vici_message_t*,
 
 	DBG1(DBG_CFG, "vici install '%s'", child);
 
-	child_cfg = find_child_cfg(child, &peer_cfg);
+	child_cfg = find_child_cfg(child, ike, &peer_cfg);
 	if (!child_cfg)
 	{
 		return send_reply(this, "configuration name not found");
@@ -480,6 +646,7 @@ static void manage_commands(private_vici_control_t *this, bool reg)
 {
 	manage_command(this, "initiate", initiate, reg);
 	manage_command(this, "terminate", terminate, reg);
+	manage_command(this, "redirect", redirect, reg);
 	manage_command(this, "install", install, reg);
 	manage_command(this, "uninstall", uninstall, reg);
 	manage_command(this, "reload-settings", reload_settings, reg);
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index 6631184b5..3411b7d6c 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -15,6 +18,7 @@
 
 #include "vici_cred.h"
 #include "vici_builder.h"
+#include "vici_cert_info.h"
 
 #include <credentials/sets/mem_cred.h>
 #include <credentials/certificates/ac.h>
@@ -66,9 +70,9 @@ static vici_message_t* create_reply(char *fmt, ...)
 CALLBACK(load_cert, vici_message_t*,
 	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
-	certificate_type_t type;
-	x509_flag_t required_flags = 0, additional_flags = 0;
 	certificate_t *cert;
+	certificate_type_t type;
+	x509_flag_t ext_flag, flag = X509_NONE;
 	x509_t *x509;
 	chunk_t data;
 	bool trusted = TRUE;
@@ -79,60 +83,55 @@ CALLBACK(load_cert, vici_message_t*,
 	{
 		return create_reply("certificate type missing");
 	}
-	if (strcaseeq(str, "x509"))
-	{
-		type = CERT_X509;
-	}
-	else if (strcaseeq(str, "x509ca"))
-	{
-		type = CERT_X509;
-		required_flags = X509_CA;
-	}
-	else if (strcaseeq(str, "x509aa"))
-	{
-		type = CERT_X509;
-		additional_flags = X509_AA;
-	}
-	else if (strcaseeq(str, "x509crl"))
+	if (enum_from_name(certificate_type_names, str, &type))
 	{
-		type = CERT_X509_CRL;
-	}
-	else if (strcaseeq(str, "x509ac"))
-	{
-		type = CERT_X509_AC;
-		trusted = FALSE;
+		if (type == CERT_X509)
+		{
+			str = message->get_str(message, "NONE", "flag");
+			if (!enum_from_name(x509_flag_names, str, &flag))
+			{
+				return create_reply("invalid certificate flag '%s'", str);
+			}
+		}
 	}
-	else
+	else if	(!vici_cert_info_from_str(str, &type, &flag))
 	{
-		return create_reply("invalid certificate type: %s", str);
+		return create_reply("invalid certificate type '%s'", str);
 	}
+
 	data = message->get_value(message, chunk_empty, "data");
 	if (!data.len)
 	{
 		return create_reply("certificate data missing");
 	}
+
+	/* do not set CA flag externally */
+	ext_flag = (flag & X509_CA) ? X509_NONE : flag;
+
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
 							  BUILD_BLOB_PEM, data,
-							  BUILD_X509_FLAG, additional_flags,
+							  BUILD_X509_FLAG, ext_flag,
 							  BUILD_END);
 	if (!cert)
 	{
 		return create_reply("parsing %N certificate failed",
 							certificate_type_names, type);
 	}
-	if (cert->get_type(cert) == CERT_X509)
+	DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
+
+	/* check if CA certificate has CA basic constraint set */
+	if (flag & X509_CA)
 	{
+		char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
 		x509 = (x509_t*)cert;
 
-		if ((required_flags & x509->get_flags(x509)) != required_flags)
+		if (!(x509->get_flags(x509) & X509_CA))
 		{
 			cert->destroy(cert);
-			return create_reply("certificate misses required flag, rejected");
+			DBG1(DBG_CFG, "  %s", err_msg);
+			return create_reply(err_msg);
 		}
 	}
-
-	DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
-
 	if (type == CERT_X509_CRL)
 	{
 		this->creds->add_crl(this->creds, (crl_t*)cert);
@@ -169,6 +168,10 @@ CALLBACK(load_key, vici_message_t*,
 	{
 		type = KEY_ECDSA;
 	}
+	else if (strcaseeq(str, "bliss"))
+	{
+		type = KEY_BLISS;
+	}
 	else
 	{
 		return create_reply("invalid key type: %s", str);
@@ -305,7 +308,7 @@ static void manage_commands(private_vici_cred_t *this, bool reg)
 METHOD(vici_cred_t, add_cert, certificate_t*,
 	private_vici_cred_t *this, certificate_t *cert)
 {
-	return this->creds->get_cert_ref(this->creds, cert);
+	return this->creds->add_cert_ref(this->creds, TRUE, cert);
 }
 
 METHOD(vici_cred_t, destroy, void,
diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c
index 53ed8cdfb..ed7c743c7 100644
--- a/src/libcharon/plugins/vici/vici_plugin.c
+++ b/src/libcharon/plugins/vici/vici_plugin.c
@@ -131,7 +131,8 @@ static bool register_vici(private_vici_plugin_t *this,
 			this->authority = vici_authority_create(this->dispatcher,
 													this->cred);
 			lib->credmgr->add_set(lib->credmgr, &this->authority->set);
-			this->config = vici_config_create(this->dispatcher, this->authority);
+			this->config = vici_config_create(this->dispatcher, this->authority,
+											  this->cred);
 			this->attrs = vici_attribute_create(this->dispatcher);
 			this->logger = vici_logger_create(this->dispatcher);
 
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 9a3d832da..284c23ee0 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner, Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -37,6 +40,7 @@
 
 #include "vici_query.h"
 #include "vici_builder.h"
+#include "vici_cert_info.h"
 
 #include <inttypes.h>
 #include <time.h>
@@ -48,6 +52,9 @@
 #endif
 
 #include <daemon.h>
+#include <asn1/asn1.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
 
 typedef struct private_vici_query_t private_vici_query_t;
 
@@ -120,7 +127,7 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 				}
 			}
 			if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-										&alg, &ks) && alg != ENCR_UNDEFINED)
+										&alg, &ks) && alg != AUTH_UNDEFINED)
 			{
 				b->add_kv(b, "integ-alg", "%N", integrity_algorithm_names, alg);
 				if (ks)
@@ -128,11 +135,6 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 					b->add_kv(b, "integ-keysize", "%u", ks);
 				}
 			}
-			if (proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION,
-										&alg, NULL))
-			{
-				b->add_kv(b, "prf-alg", "%N", pseudo_random_function_names, alg);
-			}
 			if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
 										&alg, NULL))
 			{
@@ -271,15 +273,20 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	identification_t *eap;
 	proposal_t *proposal;
 	u_int16_t alg, ks;
+	host_t *host;
 
 	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
 	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
 	b->add_kv(b, "state", "%N", ike_sa_state_names, ike_sa->get_state(ike_sa));
 
-	b->add_kv(b, "local-host", "%H", ike_sa->get_my_host(ike_sa));
+	host = ike_sa->get_my_host(ike_sa);
+	b->add_kv(b, "local-host", "%H", host);
+	b->add_kv(b, "local-port", "%d", host->get_port(host));
 	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
 
-	b->add_kv(b, "remote-host", "%H", ike_sa->get_other_host(ike_sa));
+	host = ike_sa->get_other_host(ike_sa);
+	b->add_kv(b, "remote-host", "%H", host);
+	b->add_kv(b, "remote-port", "%d", host->get_port(host));
 	b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa));
 
 	eap = ike_sa->get_other_eap_id(ike_sa);
@@ -301,8 +308,10 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	{
 		b->add_kv(b, "initiator", "yes");
 	}
-	b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id));
-	b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id));
+	b->add_kv(b, "initiator-spi", "%.16"PRIx64,
+			  be64toh(id->get_initiator_spi(id)));
+	b->add_kv(b, "responder-spi", "%.16"PRIx64,
+			  be64toh(id->get_responder_spi(id)));
 
 	add_condition(b, ike_sa, "nat-local", COND_NAT_HERE);
 	add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE);
@@ -772,7 +781,7 @@ CALLBACK(list_conns, vici_message_t*,
 /**
  * Do we have a private key for given certificate
  */
-static bool has_privkey(private_vici_query_t *this, certificate_t *cert)
+static bool has_privkey(certificate_t *cert)
 {
 	private_key_t *private;
 	public_key_t *public;
@@ -800,81 +809,332 @@ static bool has_privkey(private_vici_query_t *this, certificate_t *cert)
 	return found;
 }
 
-CALLBACK(list_certs, vici_message_t*,
-	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
+/**
+ * Store cert filter data
+ */
+typedef struct {
+	certificate_type_t type;
+	x509_flag_t flag;
+	identification_t *subject;
+} cert_filter_t;
+
+/**
+ * Enumerate all X.509 certificates with a given flag
+ */
+static void enum_x509(private_vici_query_t *this, u_int id,
+					  linked_list_t *certs, cert_filter_t *filter,
+					  x509_flag_t flag)
 {
-	enumerator_t *enumerator, *added;
-	linked_list_t *list;
-	certificate_t *cert, *current;
-	chunk_t encoding;
-	identification_t *subject = NULL;
-	int type;
+	enumerator_t *enumerator;
+	certificate_t *cert;
 	vici_builder_t *b;
-	bool found;
-	char *str;
+	chunk_t encoding;
+	x509_t *x509;
 
-	str = request->get_str(request, "ANY", "type");
-	if (!enum_from_name(certificate_type_names, str, &type))
+	if (filter->type != CERT_ANY && filter->flag != X509_ANY &&
+		filter->flag != flag)
 	{
-		b = vici_builder_create();
-		return b->finalize(b);
-	}
-	str = request->get_str(request, NULL, "subject");
-	if (str)
-	{
-		subject = identification_create_from_string(str);
+		return;
 	}
 
-	list = linked_list_create();
-	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
-												type, KEY_ANY, subject, FALSE);
+	enumerator = certs->create_enumerator(certs);
 	while (enumerator->enumerate(enumerator, &cert))
 	{
-		found = FALSE;
-		added = list->create_enumerator(list);
-		while (added->enumerate(added, &current))
+		x509 = (x509_t*)cert;
+		if ((x509->get_flags(x509) & X509_ANY) != flag)
 		{
-			if (current->equals(current, cert))
+			continue;
+		}
+
+		if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+		{
+			b = vici_builder_create();
+			b->add_kv(b, "type", "%N", certificate_type_names, CERT_X509);
+			b->add_kv(b, "flag", "%N", x509_flag_names, flag);
+			if (has_privkey(cert))
 			{
-				found = TRUE;
-				break;
+				b->add_kv(b, "has_privkey", "yes");
 			}
+			b->add(b, VICI_KEY_VALUE, "data", encoding);
+			free(encoding.ptr);
+
+			this->dispatcher->raise_event(this->dispatcher, "list-cert", id,
+										  b->finalize(b));
 		}
-		added->destroy(added);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Enumerate all non-X.509 certificate types
+ */
+static void enum_others(private_vici_query_t *this, u_int id,
+						linked_list_t *certs, certificate_type_t type)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	vici_builder_t *b;
+	chunk_t encoding, t_ch;
+	cred_encoding_type_t encoding_type;
+	identification_t *subject;
+	time_t not_before, not_after;
+
+	encoding_type = (type == CERT_TRUSTED_PUBKEY) ? PUBKEY_SPKI_ASN1_DER :
+													CERT_ASN1_DER;
 
-		if (!found && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+	enumerator = certs->create_enumerator(certs);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (cert->get_encoding(cert, encoding_type, &encoding))
 		{
 			b = vici_builder_create();
-			b->add_kv(b, "type", "%N",
-					  certificate_type_names, cert->get_type(cert));
-			if (has_privkey(this, cert))
+			b->add_kv(b, "type", "%N", certificate_type_names, type);
+			if (has_privkey(cert))
 			{
 				b->add_kv(b, "has_privkey", "yes");
 			}
 			b->add(b, VICI_KEY_VALUE, "data", encoding);
 			free(encoding.ptr);
 
+			if (type == CERT_TRUSTED_PUBKEY)
+			{
+				subject = cert->get_subject(cert);
+				if (subject->get_type(subject) != ID_KEY_ID)
+				{
+					b->add_kv(b, "subject", "%Y", cert->get_subject(cert));
+				}
+				cert->get_validity(cert, NULL, &not_before, &not_after);
+				if (not_before != UNDEFINED_TIME)
+				{
+					t_ch = asn1_from_time(&not_before, ASN1_GENERALIZEDTIME);
+					b->add(b, VICI_KEY_VALUE, "not-before", chunk_skip(t_ch, 2));
+					chunk_free(&t_ch);
+				}
+				if (not_after != UNDEFINED_TIME)
+				{
+					t_ch = asn1_from_time(&not_after, ASN1_GENERALIZEDTIME);
+					b->add(b, VICI_KEY_VALUE, "not-after", chunk_skip(t_ch, 2));
+					chunk_free(&t_ch);
+				}
+			}
 			this->dispatcher->raise_event(this->dispatcher, "list-cert", id,
 										  b->finalize(b));
-			list->insert_last(list, cert->get_ref(cert));
 		}
 	}
 	enumerator->destroy(enumerator);
+}
 
-	list->destroy_offset(list, offsetof(certificate_t, destroy));
-	DESTROY_IF(subject);
+/**
+ * Enumerate all certificates of a given type
+ */
+static void enum_certs(private_vici_query_t *this,	u_int id,
+					   cert_filter_t *filter, certificate_type_t type)
+{
+	enumerator_t *e1, *e2;
+	certificate_t *cert, *current;
+	linked_list_t *certs;
+	bool found;
 
+	if (filter->type != CERT_ANY && filter->type != type)
+	{
+		return;
+	}
+	certs = linked_list_create();
+
+	e1 = lib->credmgr->create_cert_enumerator(lib->credmgr, type, KEY_ANY,
+											  filter->subject, FALSE);
+	while (e1->enumerate(e1, &cert))
+	{
+		found = FALSE;
+
+		e2 = certs->create_enumerator(certs);
+		while (e2->enumerate(e2, &current))
+		{
+			if (current->equals(current, cert))
+			{
+				found = TRUE;
+				break;
+			}
+		}
+		e2->destroy(e2);
+
+		if (!found)
+		{
+			certs->insert_last(certs, cert->get_ref(cert));
+		}
+	}
+	e1->destroy(e1);
+
+	if (type == CERT_X509)
+	{
+		enum_x509(this, id, certs, filter, X509_NONE);
+		enum_x509(this, id, certs, filter, X509_CA);
+		enum_x509(this, id, certs, filter, X509_AA);
+		enum_x509(this, id, certs, filter, X509_OCSP_SIGNER);
+	}
+	else
+	{
+		enum_others(this, id, certs, type);
+	}
+	certs->destroy_offset(certs, offsetof(certificate_t, destroy));
+}
+
+CALLBACK(list_certs, vici_message_t*,
+	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
+{
+	cert_filter_t filter = {
+		.type = CERT_ANY,
+		.flag = X509_ANY,
+		.subject = NULL
+	};
+	vici_builder_t *b;
+	char *str;
+
+	str = request->get_str(request, "ANY", "type");
+	if (enum_from_name(certificate_type_names, str, &filter.type))
+	{
+		if (filter.type == CERT_X509)
+		{
+			str = request->get_str(request, "ANY", "flag");
+			if (!enum_from_name(x509_flag_names, str, &filter.flag))
+			{
+				DBG1(DBG_CFG, "invalid certificate flag '%s'", str);
+				goto finalize;
+			}
+		}
+	}
+	else if	(!vici_cert_info_from_str(str, &filter.type, &filter.flag))
+	{
+		DBG1(DBG_CFG, "invalid certificate type '%s'", str);
+		goto finalize;
+	}
+
+	str = request->get_str(request, NULL, "subject");
+	if (str)
+	{
+		filter.subject = identification_create_from_string(str);
+	}
+
+	enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY);
+	enum_certs(this, id, &filter, CERT_X509);
+	enum_certs(this, id, &filter, CERT_X509_AC);
+	enum_certs(this, id, &filter, CERT_X509_CRL);
+	enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE);
+	DESTROY_IF(filter.subject);
+
+finalize:
 	b = vici_builder_create();
 	return b->finalize(b);
 }
 
-CALLBACK(version, vici_message_t*,
+/**
+ * Add a key/value pair of ALG => plugin
+ */
+static void add_algorithm(vici_builder_t *b, enum_name_t *alg_names,
+						  int alg_type, const char *plugin_name)
+{
+	char alg_name[BUF_LEN];
+
+	sprintf(alg_name, "%N", alg_names, alg_type);
+	b->add_kv(b, alg_name, (char*)plugin_name);
+}
+
+CALLBACK(get_algorithms, vici_message_t*,
 	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
 {
 	vici_builder_t *b;
+	enumerator_t *enumerator;
+	encryption_algorithm_t encryption;
+	integrity_algorithm_t integrity;
+	hash_algorithm_t hash;
+	pseudo_random_function_t prf;
+	diffie_hellman_group_t group;
+	rng_quality_t quality;
+	const char *plugin_name;
 
 	b = vici_builder_create();
 
+	b->begin_section(b, "encryption");
+	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+	{
+		add_algorithm(b, encryption_algorithm_names, encryption, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "integrity");
+	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
+	{
+		add_algorithm(b, integrity_algorithm_names, integrity, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "aead");
+	enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+	{
+		add_algorithm(b, encryption_algorithm_names, encryption, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "hasher");
+	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &hash, &plugin_name))
+	{
+		add_algorithm(b, hash_algorithm_names, hash, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "prf");
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
+	{
+		add_algorithm(b, pseudo_random_function_names, prf, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "dh");
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group, &plugin_name))
+	{
+		add_algorithm(b, diffie_hellman_group_names, group, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "rng");
+	enumerator = lib->crypto->create_rng_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &quality, &plugin_name))
+	{
+		add_algorithm(b, rng_quality_names, quality, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "nonce-gen");
+	enumerator = lib->crypto->create_nonce_gen_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &plugin_name))
+	{
+		b->add_kv(b, "NONCE_GEN", (char*)plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	return b->finalize(b);
+}
+
+CALLBACK(version, vici_message_t*,
+	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
+{
+	vici_builder_t *b;
+
+	b = vici_builder_create();
 	b->add_kv(b, "daemon", "%s", lib->ns);
 	b->add_kv(b, "version", "%s", VERSION);
 
@@ -915,18 +1175,6 @@ CALLBACK(version, vici_message_t*,
 	return b->finalize(b);
 }
 
-/**
- * Callback function for memusage summary
- */
-CALLBACK(sum_usage, void,
-	vici_builder_t *b, int count, size_t bytes, int whitelisted)
-{
-	b->begin_section(b, "mem");
-	b->add_kv(b, "total", "%zu", bytes);
-	b->add_kv(b, "allocs", "%d", count);
-	b->end_section(b);
-}
-
 CALLBACK(stats, vici_message_t*,
 	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
 {
@@ -988,12 +1236,7 @@ CALLBACK(stats, vici_message_t*,
 	enumerator->destroy(enumerator);
 	b->end_list(b);
 
-	if (lib->leak_detective)
-	{
-		lib->leak_detective->usage(lib->leak_detective, NULL, sum_usage, b);
-	}
 #ifdef WIN32
-	else
 	{
 		DWORD lasterr = ERROR_INVALID_HANDLE;
 		HANDLE heaps[32];
@@ -1085,6 +1328,7 @@ static void manage_commands(private_vici_query_t *this, bool reg)
 	manage_command(this, "list-policies", list_policies, reg);
 	manage_command(this, "list-conns", list_conns, reg);
 	manage_command(this, "list-certs", list_certs, reg);
+	manage_command(this, "get-algorithms", get_algorithms, reg);
 	manage_command(this, "version", version, reg);
 	manage_command(this, "stats", stats, reg);
 }
diff --git a/src/libcharon/plugins/vici/vici_tests.c b/src/libcharon/plugins/vici/vici_tests.c
index 434aa5e18..d1f8097bf 100644
--- a/src/libcharon/plugins/vici/vici_tests.c
+++ b/src/libcharon/plugins/vici/vici_tests.c
@@ -16,7 +16,6 @@
 #include <test_runner.h>
 
 #include <daemon.h>
-#include <hydra.h>
 
 /* declare test suite constructors */
 #define TEST_SUITE(x) test_suite_t* x();
diff --git a/src/libcharon/plugins/whitelist/Makefile.am b/src/libcharon/plugins/whitelist/Makefile.am
index 1fd01c888..7f6bfff14 100644
--- a/src/libcharon/plugins/whitelist/Makefile.am
+++ b/src/libcharon/plugins/whitelist/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index e400d9f35..549ef6bce 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -438,7 +440,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.am b/src/libcharon/plugins/xauth_eap/Makefile.am
index ea75c1581..5c7228e85 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.am
+++ b/src/libcharon/plugins/xauth_eap/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index a9684455d..6992df820 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.am b/src/libcharon/plugins/xauth_generic/Makefile.am
index 1ecd9fd14..282bfc4fe 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.am
+++ b/src/libcharon/plugins/xauth_generic/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 5170c924f..057a734a3 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.am b/src/libcharon/plugins/xauth_noauth/Makefile.am
index 3902471fe..bb41f2169 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.am
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 087f5b350..6b0104e30 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.am b/src/libcharon/plugins/xauth_pam/Makefile.am
index abf83ca75..cee8bf811 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.am
+++ b/src/libcharon/plugins/xauth_pam/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 29441bcb5..ae6a4d070 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index b4f135a57..c39689012 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -19,7 +19,6 @@
 #include "adopt_children_job.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <collections/array.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 
diff --git a/src/libcharon/processing/jobs/redirect_job.c b/src/libcharon/processing/jobs/redirect_job.c
new file mode 100644
index 000000000..e1af662c9
--- /dev/null
+++ b/src/libcharon/processing/jobs/redirect_job.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+#include "redirect_job.h"
+
+typedef struct private_redirect_job_t private_redirect_job_t;
+
+/**
+ * Private data
+ */
+struct private_redirect_job_t {
+
+	/**
+	 * Public interface
+	 */
+	redirect_job_t public;
+
+	/**
+	 * ID of the IKE_SA to redirect
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * Target gateway identity
+	 */
+	identification_t *gateway;
+};
+
+
+METHOD(job_t, destroy, void,
+	private_redirect_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	this->gateway->destroy(this->gateway);
+	free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+	private_redirect_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			return JOB_REQUEUE_NONE;
+		}
+		if (ike_sa->redirect(ike_sa, this->gateway) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(
+											charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_redirect_job_t *this)
+{
+	return JOB_PRIO_MEDIUM;
+}
+
+/*
+ * Described in header
+ */
+redirect_job_t *redirect_job_create(ike_sa_id_t *ike_sa_id,
+									identification_t *gateway)
+{
+	private_redirect_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+		.gateway = gateway->clone(gateway),
+	);
+
+	return &(this->public);
+}
diff --git a/src/libcharon/processing/jobs/redirect_job.h b/src/libcharon/processing/jobs/redirect_job.h
new file mode 100644
index 000000000..fe4b34ee9
--- /dev/null
+++ b/src/libcharon/processing/jobs/redirect_job.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup redirect_job redirect_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef REDIRECT_JOB_H_
+#define REDIRECT_JOB_H_
+
+typedef struct redirect_job_t redirect_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Job used to redirect an IKE_SA.
+ */
+struct redirect_job_t {
+
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job to redirect an IKE_SA.
+ *
+ * @param ike_sa_id			id of the IKE_SA to redirect (cloned)
+ * @param gateway			gateway identity (IP or FQDN) of target (cloned)
+ * @return					created redirect_job_t object
+ */
+redirect_job_t *redirect_job_create(ike_sa_id_t *ike_sa_id,
+									identification_t *gateway);
+
+#endif /** REDIRECT_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/send_keepalive_job.c b/src/libcharon/processing/jobs/send_keepalive_job.c
index 3e3477679..e06eae3d3 100644
--- a/src/libcharon/processing/jobs/send_keepalive_job.c
+++ b/src/libcharon/processing/jobs/send_keepalive_job.c
@@ -54,7 +54,7 @@ METHOD(job_t, execute, job_requeue_t,
 											  this->ike_sa_id);
 	if (ike_sa)
 	{
-		ike_sa->send_keepalive(ike_sa);
+		ike_sa->send_keepalive(ike_sa, TRUE);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
 	return JOB_REQUEUE_NONE;
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index b0f163c83..56b7cb5a4 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -23,7 +23,6 @@
 #include <string.h>
 #include <time.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <collections/array.h>
 
@@ -469,10 +468,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->my_spi)
 		{
-			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
-							this->other_addr, this->my_addr, this->my_spi,
-							proto_ike2ip(this->protocol), this->mark_in,
-							&bytes, &packets, &time);
+			status = charon->kernel->query_sa(charon->kernel, this->other_addr,
+									this->my_addr, this->my_spi,
+									proto_ike2ip(this->protocol), this->mark_in,
+									&bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
@@ -493,10 +492,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->other_spi)
 		{
-			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
-							this->my_addr, this->other_addr, this->other_spi,
-							proto_ike2ip(this->protocol), this->mark_out,
-							&bytes, &packets, &time);
+			status = charon->kernel->query_sa(charon->kernel, this->my_addr,
+								this->other_addr, this->other_spi,
+								proto_ike2ip(this->protocol), this->mark_out,
+								&bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
@@ -532,15 +531,15 @@ static bool update_usetime(private_child_sa_t *this, bool inbound)
 
 		if (inbound)
 		{
-			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
-						other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
+			if (charon->kernel->query_policy(charon->kernel, other_ts,
+							my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
 			{
 				last_use = max(last_use, in);
 			}
 			if (this->mode != MODE_TRANSPORT)
 			{
-				if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
-						other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
+				if (charon->kernel->query_policy(charon->kernel, other_ts,
+							my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
 				{
 					last_use = max(last_use, fwd);
 				}
@@ -548,8 +547,8 @@ static bool update_usetime(private_child_sa_t *this, bool inbound)
 		}
 		else
 		{
-			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
-						my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
+			if (charon->kernel->query_policy(charon->kernel, my_ts,
+							other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
 			{
 				last_use = max(last_use, out);
 			}
@@ -629,10 +628,8 @@ METHOD(child_sa_t, get_installtime, time_t,
 METHOD(child_sa_t, alloc_spi, u_int32_t,
 	   private_child_sa_t *this, protocol_id_t protocol)
 {
-	if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
-										 this->other_addr, this->my_addr,
-										 proto_ike2ip(protocol),
-										 &this->my_spi) == SUCCESS)
+	if (charon->kernel->get_spi(charon->kernel, this->other_addr, this->my_addr,
+							proto_ike2ip(protocol), &this->my_spi) == SUCCESS)
 	{
 		/* if we allocate a SPI, but then are unable to establish the SA, we
 		 * need to know the protocol family to delete the partial SA */
@@ -645,9 +642,8 @@ METHOD(child_sa_t, alloc_spi, u_int32_t,
 METHOD(child_sa_t, alloc_cpi, u_int16_t,
 	   private_child_sa_t *this)
 {
-	if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
-										 this->other_addr, this->my_addr,
-										 &this->my_cpi) == SUCCESS)
+	if (charon->kernel->get_cpi(charon->kernel, this->other_addr, this->my_addr,
+								&this->my_cpi) == SUCCESS)
 	{
 		return this->my_cpi;
 	}
@@ -711,9 +707,8 @@ METHOD(child_sa_t, install, status_t,
 
 	if (!this->reqid_allocated && !this->static_reqid)
 	{
-		status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
-							my_ts, other_ts, this->mark_in, this->mark_out,
-							&this->reqid);
+		status = charon->kernel->alloc_reqid(charon->kernel, my_ts, other_ts,
+								this->mark_in, this->mark_out, &this->reqid);
 		if (status != SUCCESS)
 		{
 			return status;
@@ -757,7 +752,7 @@ METHOD(child_sa_t, install, status_t,
 		dst_ts = other_ts;
 	}
 
-	status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
+	status = charon->kernel->add_sa(charon->kernel,
 				src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
 				inbound ? this->mark_in : this->mark_out, tfc,
 				lifetime, enc_alg, encr, int_alg, integ, this->mode,
@@ -776,7 +771,7 @@ static bool require_policy_update()
 {
 	kernel_feature_t f;
 
-	f = hydra->kernel_interface->get_features(hydra->kernel_interface);
+	f = charon->kernel->get_features(charon->kernel);
 	return !(f & KERNEL_NO_POLICY_UPDATES);
 }
 
@@ -833,18 +828,18 @@ static status_t install_policies_internal(private_child_sa_t *this,
 	ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
 {
 	status_t status = SUCCESS;
-	status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+	status |= charon->kernel->add_policy(charon->kernel,
 							my_addr, other_addr, my_ts, other_ts,
 							POLICY_OUT, type, other_sa,
 							this->mark_out, priority);
 
-	status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+	status |= charon->kernel->add_policy(charon->kernel,
 							other_addr, my_addr, other_ts, my_ts,
 							POLICY_IN, type, my_sa,
 							this->mark_in, priority);
 	if (this->mode != MODE_TRANSPORT)
 	{
-		status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+		status |= charon->kernel->add_policy(charon->kernel,
 							other_addr, my_addr, other_ts, my_ts,
 							POLICY_FWD, type, my_sa,
 							this->mark_in, priority);
@@ -861,15 +856,15 @@ static void del_policies_internal(private_child_sa_t *this,
 	ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
 {
 
-	hydra->kernel_interface->del_policy(hydra->kernel_interface,
+	charon->kernel->del_policy(charon->kernel,
 						my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type,
 						other_sa, this->mark_out, priority);
-	hydra->kernel_interface->del_policy(hydra->kernel_interface,
+	charon->kernel->del_policy(charon->kernel,
 						other_addr, my_addr, other_ts, my_ts, POLICY_IN,
 						type, my_sa, this->mark_in, priority);
 	if (this->mode != MODE_TRANSPORT)
 	{
-		hydra->kernel_interface->del_policy(hydra->kernel_interface,
+		charon->kernel->del_policy(charon->kernel,
 						other_addr, my_addr, other_ts, my_ts, POLICY_FWD,
 						type, my_sa, this->mark_in, priority);
 	}
@@ -886,8 +881,8 @@ METHOD(child_sa_t, add_policies, status_t,
 	if (!this->reqid_allocated && !this->static_reqid)
 	{
 		/* trap policy, get or confirm reqid */
-		status = hydra->kernel_interface->alloc_reqid(
-							hydra->kernel_interface, my_ts_list, other_ts_list,
+		status = charon->kernel->alloc_reqid(
+							charon->kernel, my_ts_list, other_ts_list,
 							this->mark_in, this->mark_out, &this->reqid);
 		if (status != SUCCESS)
 		{
@@ -967,11 +962,10 @@ static void reinstall_vip(host_t *vip, host_t *me)
 {
 	char *iface;
 
-	if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-											   me, &iface))
+	if (charon->kernel->get_interface(charon->kernel, me, &iface))
 	{
-		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
-		hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface);
+		charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
+		charon->kernel->add_ip(charon->kernel, vip, -1, iface);
 		free(iface);
 	}
 }
@@ -1000,7 +994,7 @@ METHOD(child_sa_t, update, status_t,
 		/* update our (initiator) SA */
 		if (this->my_spi)
 		{
-			if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
+			if (charon->kernel->update_sa(charon->kernel,
 							this->my_spi, proto_ike2ip(this->protocol),
 							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
 							this->other_addr, this->my_addr, other, me,
@@ -1014,7 +1008,7 @@ METHOD(child_sa_t, update, status_t,
 		/* update his (responder) SA */
 		if (this->other_spi)
 		{
-			if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
+			if (charon->kernel->update_sa(charon->kernel,
 							this->other_spi, proto_ike2ip(this->protocol),
 							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
 							this->my_addr, this->other_addr, me, other,
@@ -1143,14 +1137,14 @@ METHOD(child_sa_t, destroy, void,
 	/* delete SAs in the kernel, if they are set up */
 	if (this->my_spi)
 	{
-		hydra->kernel_interface->del_sa(hydra->kernel_interface,
+		charon->kernel->del_sa(charon->kernel,
 					this->other_addr, this->my_addr, this->my_spi,
 					proto_ike2ip(this->protocol), this->my_cpi,
 					this->mark_in);
 	}
 	if (this->other_spi)
 	{
-		hydra->kernel_interface->del_sa(hydra->kernel_interface,
+		charon->kernel->del_sa(charon->kernel,
 					this->my_addr, this->other_addr, this->other_spi,
 					proto_ike2ip(this->protocol), this->other_cpi,
 					this->mark_out);
@@ -1158,7 +1152,7 @@ METHOD(child_sa_t, destroy, void,
 
 	if (this->reqid_allocated)
 	{
-		if (hydra->kernel_interface->release_reqid(hydra->kernel_interface,
+		if (charon->kernel->release_reqid(charon->kernel,
 						this->reqid, this->mark_in, this->mark_out) != SUCCESS)
 		{
 			DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid);
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index dcf9d5f2c..bcbff3211 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -46,7 +46,6 @@
 #include "ike_sa.h"
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <collections/array.h>
 #include <utils/lexparser.h>
@@ -57,6 +56,9 @@
 #include <processing/jobs/rekey_ike_sa_job.h>
 #include <processing/jobs/retry_initiate_job.h>
 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
+#include <sa/ikev2/tasks/ike_reauth_complete.h>
+#include <sa/ikev2/tasks/ike_redirect.h>
+#include <credentials/sets/auth_cfg_wrapper.h>
 
 #ifdef ME
 #include <sa/ikev2/tasks/ike_me.h>
@@ -239,6 +241,11 @@ struct private_ike_sa_t {
 	u_int32_t keepalive_interval;
 
 	/**
+	 * The schedueld keep alive job, if any
+	 */
+	send_keepalive_job_t *keepalive_job;
+
+	/**
 	 * interval for retries during initiation (e.g. if DNS resolution failed),
 	 * 0 to disable (default)
 	 */
@@ -278,6 +285,21 @@ struct private_ike_sa_t {
 	 * Maximum length of a single fragment, 0 for address-specific defaults
 	 */
 	size_t fragment_size;
+
+	/**
+	 * Whether to follow IKEv2 redirects
+	 */
+	bool follow_redirects;
+
+	/**
+	 * Original gateway address from which we got redirected
+	 */
+	host_t *redirected_from;
+
+	/**
+	 * Timestamps of redirect attempts to handle loops
+	 */
+	array_t *redirected_at;
 };
 
 /**
@@ -382,6 +404,12 @@ METHOD(ike_sa_t, set_other_host, void,
 	this->other_host = other;
 }
 
+METHOD(ike_sa_t, get_redirected_from, host_t*,
+	private_ike_sa_t *this)
+{
+	return this->redirected_from;
+}
+
 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
 	private_ike_sa_t *this)
 {
@@ -455,6 +483,113 @@ static void flush_auth_cfgs(private_ike_sa_t *this)
 	}
 }
 
+METHOD(ike_sa_t, verify_peer_certificate, bool,
+	private_ike_sa_t *this)
+{
+	enumerator_t *e1, *e2, *certs;
+	auth_cfg_t *cfg, *cfg_done;
+	certificate_t *peer, *cert;
+	public_key_t *key;
+	auth_cfg_t *auth;
+	auth_cfg_wrapper_t *wrapper;
+	time_t not_before, not_after;
+	bool valid = TRUE, found;
+
+	if (this->state != IKE_ESTABLISHED)
+	{
+		DBG1(DBG_IKE, "unable to verify peer certificate in state %N",
+			 ike_sa_state_names, this->state);
+		return FALSE;
+	}
+
+	if (!this->flush_auth_cfg &&
+		lib->settings->get_bool(lib->settings,
+								"%s.flush_auth_cfg", FALSE, lib->ns))
+	{	/* we can do this check only once if auth configs are flushed */
+		DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
+			 "information has been flushed");
+		return FALSE;
+	}
+	this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
+							   FALSE);
+
+	e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
+	e2 = array_create_enumerator(this->other_auths);
+	while (e1->enumerate(e1, &cfg))
+	{
+		if (!e2->enumerate(e2, &cfg_done))
+		{	/* this should not happen as the authentication should never have
+			 * succeeded */
+			valid = FALSE;
+			break;
+		}
+		if ((uintptr_t)cfg_done->get(cfg_done,
+									 AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
+		{
+			continue;
+		}
+		peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT);
+		if (!peer)
+		{
+			DBG1(DBG_IKE, "no subject certificate found, skipping certificate "
+				 "verification");
+			continue;
+		}
+		if (!peer->get_validity(peer, NULL, &not_before, &not_after))
+		{
+			DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
+				 &not_before, FALSE, &not_after, FALSE);
+			valid = FALSE;
+			break;
+		}
+		key = peer->get_public_key(peer);
+		if (!key)
+		{
+			DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate "
+				 "verification");
+			continue;
+		}
+		DBG1(DBG_IKE, "verifying peer certificate");
+		/* serve received certificates */
+		wrapper = auth_cfg_wrapper_create(cfg_done);
+		lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
+		certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+							key->get_type(key), peer->get_subject(peer), TRUE);
+		key->destroy(key);
+
+		found = FALSE;
+		while (certs->enumerate(certs, &cert, &auth))
+		{
+			if (peer->equals(peer, cert))
+			{
+				cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED,
+							  FALSE);
+				cfg_done->merge(cfg_done, auth, FALSE);
+				valid = cfg_done->complies(cfg_done, cfg, TRUE);
+				found = TRUE;
+				break;
+			}
+		}
+		certs->destroy(certs);
+		lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
+		wrapper->destroy(wrapper);
+		if (!found || !valid)
+		{
+			valid = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
+	if (this->flush_auth_cfg)
+	{
+		this->flush_auth_cfg = FALSE;
+		flush_auth_cfgs(this);
+	}
+	return valid;
+}
+
 METHOD(ike_sa_t, get_proposal, proposal_t*,
 	private_ike_sa_t *this)
 {
@@ -482,14 +617,20 @@ METHOD(ike_sa_t, set_message_id, void,
 }
 
 METHOD(ike_sa_t, send_keepalive, void,
-	private_ike_sa_t *this)
+	private_ike_sa_t *this, bool scheduled)
 {
-	send_keepalive_job_t *job;
 	time_t last_out, now, diff;
 
-	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
-		this->state == IKE_PASSIVE)
-	{	/* disable keep alives if we are not NATed anymore, or we are passive */
+	if (scheduled)
+	{
+		this->keepalive_job = NULL;
+	}
+	if (!this->keepalive_interval || this->state == IKE_PASSIVE)
+	{	/* keepalives disabled either by configuration or for passive IKE_SAs */
+		return;
+	}
+	if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
+	{	/* disable keepalives if we are not NATed anymore, or the SA is stale */
 		return;
 	}
 
@@ -514,9 +655,12 @@ METHOD(ike_sa_t, send_keepalive, void,
 		charon->sender->send_no_marker(charon->sender, packet);
 		diff = 0;
 	}
-	job = send_keepalive_job_create(this->ike_sa_id);
-	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
-								 this->keepalive_interval - diff);
+	if (!this->keepalive_job)
+	{
+		this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
+									 this->keepalive_interval - diff);
+	}
 }
 
 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
@@ -563,7 +707,7 @@ METHOD(ike_sa_t, set_condition, void,
 				case COND_NAT_HERE:
 					DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
 					this->conditions |= COND_NAT_ANY;
-					send_keepalive(this);
+					send_keepalive(this, FALSE);
 					break;
 				case COND_NAT_THERE:
 					DBG1(DBG_IKE, "remote host is behind NAT");
@@ -590,6 +734,9 @@ METHOD(ike_sa_t, set_condition, void,
 								  has_condition(this, COND_NAT_THERE) ||
 								  has_condition(this, COND_NAT_FAKE));
 					break;
+				case COND_STALE:
+					send_keepalive(this, FALSE);
+					break;
 				default:
 					break;
 			}
@@ -727,6 +874,8 @@ METHOD(ike_sa_t, set_state, void,
 				{
 					keepalives = TRUE;
 				}
+				DESTROY_IF(this->redirected_from);
+				this->redirected_from = NULL;
 			}
 			break;
 		}
@@ -749,7 +898,7 @@ METHOD(ike_sa_t, set_state, void,
 	}
 	if (keepalives)
 	{
-		send_keepalive(this);
+		send_keepalive(this, FALSE);
 	}
 }
 
@@ -786,12 +935,12 @@ METHOD(ike_sa_t, add_virtual_ip, void,
 	{
 		char *iface;
 
-		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												   this->my_host, &iface))
+		if (charon->kernel->get_interface(charon->kernel, this->my_host,
+										  &iface))
 		{
 			DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-			if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
-												ip, -1, iface) == SUCCESS)
+			if (charon->kernel->add_ip(charon->kernel, ip, -1,
+									   iface) == SUCCESS)
 			{
 				array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
 			}
@@ -828,8 +977,7 @@ METHOD(ike_sa_t, clear_virtual_ips, void,
 	{
 		if (local)
 		{
-			hydra->kernel_interface->del_ip(hydra->kernel_interface,
-											vip, -1, TRUE);
+			charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
 		}
 		vip->destroy(vip);
 	}
@@ -1265,8 +1413,8 @@ static void resolve_hosts(private_ike_sa_t *this)
 			!this->other_host->is_anyaddr(this->other_host))
 		{
 			host->destroy(host);
-			host = hydra->kernel_interface->get_source_addr(
-							hydra->kernel_interface, this->other_host, NULL);
+			host = charon->kernel->get_source_addr(charon->kernel,
+												   this->other_host, NULL);
 			if (host)
 			{
 				host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
@@ -1401,9 +1549,14 @@ METHOD(ike_sa_t, process_message, status_t,
 	status = this->task_manager->process_message(this->task_manager, message);
 	if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
 	{
-		/* authentication completed */
-		this->flush_auth_cfg = FALSE;
-		flush_auth_cfgs(this);
+		/* authentication completed but if the online validation is suspended we
+		 * need the auth cfgs until we did the delayed verification, we flush
+		 * them afterwards */
+		if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
+		{
+			this->flush_auth_cfg = FALSE;
+			flush_auth_cfgs(this);
+		}
 	}
 	return status;
 }
@@ -1735,6 +1888,86 @@ static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
 	return found;
 }
 
+/**
+ * Reestablish CHILD_SAs and migrate queued tasks.
+ *
+ * If force is true all SAs are restarted, otherwise their close/dpd_action
+ * is followed.
+ */
+static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
+									 bool force)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	child_cfg_t *child_cfg;
+	action_t action;
+	status_t status = FAILED;
+
+	/* handle existing CHILD_SAs */
+	enumerator = create_child_sa_enumerator(this);
+	while (enumerator->enumerate(enumerator, (void**)&child_sa))
+	{
+		if (force)
+		{
+			switch (child_sa->get_state(child_sa))
+			{
+				case CHILD_ROUTED:
+				{	/* move routed child directly */
+					remove_child_sa(this, enumerator);
+					new->add_child_sa(new, child_sa);
+					action = ACTION_NONE;
+					break;
+				}
+				default:
+				{	/* initiate/queue all other CHILD_SAs */
+					action = ACTION_RESTART;
+					break;
+				}
+			}
+		}
+		else
+		{	/* only restart CHILD_SAs that are configured accordingly */
+			if (this->state == IKE_DELETING)
+			{
+				action = child_sa->get_close_action(child_sa);
+			}
+			else
+			{
+				action = child_sa->get_dpd_action(child_sa);
+			}
+		}
+		switch (action)
+		{
+			case ACTION_RESTART:
+				child_cfg = child_sa->get_config(child_sa);
+				DBG1(DBG_IKE, "restarting CHILD_SA %s",
+					 child_cfg->get_name(child_cfg));
+				child_cfg->get_ref(child_cfg);
+				status = new->initiate(new, child_cfg,
+								child_sa->get_reqid(child_sa), NULL, NULL);
+				break;
+			default:
+				continue;
+		}
+		if (status == DESTROY_ME)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	/* adopt any active or queued CHILD-creating tasks */
+	if (status != DESTROY_ME)
+	{
+		task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
+		other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
+		if (new->get_state(new) == IKE_CREATED)
+		{
+			status = new->initiate(new, NULL, 0, NULL, NULL);
+		}
+	}
+	return status;
+}
+
 METHOD(ike_sa_t, reestablish, status_t,
 	private_ike_sa_t *this)
 {
@@ -1743,7 +1976,6 @@ METHOD(ike_sa_t, reestablish, status_t,
 	action_t action;
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
-	child_cfg_t *child_cfg;
 	bool restart = FALSE;
 	status_t status = FAILED;
 
@@ -1836,8 +2068,11 @@ METHOD(ike_sa_t, reestablish, status_t,
 	host = this->my_host;
 	new->set_my_host(new, host->clone(host));
 	charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
-	/* resolve hosts but use the old addresses above as fallback */
-	resolve_hosts((private_ike_sa_t*)new);
+	if (!has_condition(this, COND_REAUTHENTICATING))
+	{	/* reauthenticate to the same addresses, but resolve hosts if
+		 * reestablishing (old addresses serve as fallback) */
+		resolve_hosts((private_ike_sa_t*)new);
+	}
 	/* if we already have a virtual IP, we reuse it */
 	enumerator = array_create_enumerator(this->my_vips);
 	while (enumerator->enumerate(enumerator, &host))
@@ -1854,68 +2089,8 @@ METHOD(ike_sa_t, reestablish, status_t,
 	else
 #endif /* ME */
 	{
-		/* handle existing CHILD_SAs */
-		enumerator = create_child_sa_enumerator(this);
-		while (enumerator->enumerate(enumerator, (void**)&child_sa))
-		{
-			if (has_condition(this, COND_REAUTHENTICATING))
-			{
-				switch (child_sa->get_state(child_sa))
-				{
-					case CHILD_ROUTED:
-					{	/* move routed child directly */
-						remove_child_sa(this, enumerator);
-						new->add_child_sa(new, child_sa);
-						action = ACTION_NONE;
-						break;
-					}
-					default:
-					{	/* initiate/queue all other CHILD_SAs */
-						action = ACTION_RESTART;
-						break;
-					}
-				}
-			}
-			else
-			{	/* only restart CHILD_SAs that are configured accordingly */
-				if (this->state == IKE_DELETING)
-				{
-					action = child_sa->get_close_action(child_sa);
-				}
-				else
-				{
-					action = child_sa->get_dpd_action(child_sa);
-				}
-			}
-			switch (action)
-			{
-				case ACTION_RESTART:
-					child_cfg = child_sa->get_config(child_sa);
-					DBG1(DBG_IKE, "restarting CHILD_SA %s",
-						 child_cfg->get_name(child_cfg));
-					child_cfg->get_ref(child_cfg);
-					status = new->initiate(new, child_cfg,
-									child_sa->get_reqid(child_sa), NULL, NULL);
-					break;
-				default:
-					continue;
-			}
-			if (status == DESTROY_ME)
-			{
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-		/* adopt any active or queued CHILD-creating tasks */
-		if (status != DESTROY_ME)
-		{
-			task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
-			other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
-			if (new->get_state(new) == IKE_CREATED)
-			{
-				status = new->initiate(new, NULL, 0, NULL, NULL);
-			}
-		}
+		status = reestablish_children(this, new,
+									has_condition(this, COND_REAUTHENTICATING));
 	}
 
 	if (status == DESTROY_ME)
@@ -1936,6 +2111,195 @@ METHOD(ike_sa_t, reestablish, status_t,
 	return status;
 }
 
+/**
+ * Resolve the given gateway ID
+ */
+static host_t *resolve_gateway_id(identification_t *gateway)
+{
+	char gw[BUF_LEN];
+	host_t *addr;
+
+	snprintf(gw, sizeof(gw), "%Y", gateway);
+	gw[sizeof(gw)-1] = '\0';
+	addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
+	if (!addr)
+	{
+		DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
+			 gateway);
+	}
+	return addr;
+}
+
+/**
+ * Redirect the current SA to the given target host
+ */
+static bool redirect_established(private_ike_sa_t *this, identification_t *to)
+{
+	private_ike_sa_t *new_priv;
+	ike_sa_t *new;
+	host_t *other;
+	time_t redirect;
+
+	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+											   this->version, TRUE);
+	if (!new)
+	{
+		return FALSE;
+	}
+	new_priv = (private_ike_sa_t*)new;
+	new->set_peer_cfg(new, this->peer_cfg);
+	new_priv->redirected_from = this->other_host->clone(this->other_host);
+	charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
+	other = resolve_gateway_id(to);
+	if (other)
+	{
+		set_my_host(new_priv, this->my_host->clone(this->my_host));
+		/* this allows us to force the remote address while we still properly
+		 * resolve the local address */
+		new_priv->remote_host = other;
+		resolve_hosts(new_priv);
+		new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
+		while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
+		{
+			array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
+		}
+		if (reestablish_children(this, new, TRUE) != DESTROY_ME)
+		{
+#ifdef USE_IKEV2
+			new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
+															 this->ike_sa_id));
+#endif
+			charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
+											  TRUE);
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+			charon->bus->set_sa(charon->bus, &this->public);
+			return TRUE;
+		}
+	}
+	charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
+									  FALSE);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
+	charon->bus->set_sa(charon->bus, &this->public);
+	return FALSE;
+}
+
+/**
+ * Redirect the current connecting SA to the given target host
+ */
+static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
+{
+	host_t *other;
+
+	other = resolve_gateway_id(to);
+	if (!other)
+	{
+		return FALSE;
+	}
+	reset(this);
+	DESTROY_IF(this->redirected_from);
+	this->redirected_from = this->other_host->clone(this->other_host);
+	DESTROY_IF(this->remote_host);
+	/* this allows us to force the remote address while we still properly
+	 * resolve the local address */
+	this->remote_host = other;
+	resolve_hosts(this);
+	return TRUE;
+}
+
+/**
+ * Check if the current redirect exceeds the limits for redirects
+ */
+static bool redirect_count_exceeded(private_ike_sa_t *this)
+{
+	time_t now, redirect;
+
+	now = time_monotonic(NULL);
+	/* remove entries outside the defined period */
+	while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
+		   now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
+	{
+		array_remove(this->redirected_at, ARRAY_HEAD, NULL);
+	}
+	if (array_count(this->redirected_at) < MAX_REDIRECTS)
+	{
+		if (!this->redirected_at)
+		{
+			this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
+		}
+		array_insert(this->redirected_at, ARRAY_TAIL, &now);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(ike_sa_t, handle_redirect, bool,
+	private_ike_sa_t *this, identification_t *gateway)
+{
+	DBG1(DBG_IKE, "redirected to %Y", gateway);
+	if (!this->follow_redirects)
+	{
+		DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
+		return FALSE;
+	}
+	if (redirect_count_exceeded(this))
+	{
+		DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
+			 MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
+		return FALSE;
+	}
+
+	switch (this->state)
+	{
+		case IKE_CONNECTING:
+			return redirect_connecting(this, gateway);
+		case IKE_ESTABLISHED:
+			return redirect_established(this, gateway);
+		default:
+			DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
+				 ike_sa_state_names, this->state);
+			return FALSE;
+	}
+}
+
+METHOD(ike_sa_t, redirect, status_t,
+	private_ike_sa_t *this, identification_t *gateway)
+{
+	switch (this->state)
+	{
+		case IKE_CONNECTING:
+		case IKE_ESTABLISHED:
+		case IKE_REKEYING:
+			if (has_condition(this, COND_REDIRECTED))
+			{	/* IKE_SA already got redirected */
+				return SUCCESS;
+			}
+			if (has_condition(this, COND_ORIGINAL_INITIATOR))
+			{
+				DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
+				return FAILED;
+			}
+			if (this->version == IKEV1)
+			{
+				DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
+				return FAILED;
+			}
+			if (!supports_extension(this, EXT_IKE_REDIRECTION))
+			{
+				DBG1(DBG_IKE, "client does not support IKE redirection");
+				return FAILED;
+			}
+#ifdef USE_IKEV2
+			this->task_manager->queue_task(this->task_manager,
+						(task_t*)ike_redirect_create(&this->public, gateway));
+#endif
+			return this->task_manager->initiate(this->task_manager);
+		default:
+			DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
+				 ike_sa_state_names, this->state);
+			return INVALID_STATE;
+	}
+}
+
 METHOD(ike_sa_t, retransmit, status_t,
 	private_ike_sa_t *this, u_int32_t message_id)
 {
@@ -2067,8 +2431,8 @@ static bool is_current_path_valid(private_ike_sa_t *this)
 {
 	bool valid = FALSE;
 	host_t *src;
-	src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
-											this->other_host, this->my_host);
+	src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
+										  this->my_host);
 	if (src)
 	{
 		if (src->ip_equals(src, this->my_host))
@@ -2112,8 +2476,7 @@ static bool is_any_path_valid(private_ike_sa_t *this)
 			continue;
 		}
 		DBG1(DBG_IKE, "looking for a route to %H ...", addr);
-		src = hydra->kernel_interface->get_source_addr(
-										hydra->kernel_interface, addr, NULL);
+		src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
 		if (src)
 		{
 			break;
@@ -2323,7 +2686,7 @@ METHOD(ike_sa_t, inherit_post, void,
 	this->conditions = other->conditions;
 	if (this->conditions & COND_NAT_HERE)
 	{
-		send_keepalive(this);
+		send_keepalive(this, FALSE);
 	}
 
 #ifdef ME
@@ -2401,7 +2764,7 @@ METHOD(ike_sa_t, destroy, void,
 	}
 	while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
 	{
-		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
+		charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
 		vip->destroy(vip);
 	}
 	if (array_count(this->other_vips))
@@ -2450,6 +2813,8 @@ METHOD(ike_sa_t, destroy, void,
 	DESTROY_IF(this->other_id);
 	DESTROY_IF(this->local_host);
 	DESTROY_IF(this->remote_host);
+	DESTROY_IF(this->redirected_from);
+	array_destroy(this->redirected_at);
 
 	DESTROY_IF(this->ike_cfg);
 	DESTROY_IF(this->peer_cfg);
@@ -2498,6 +2863,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 			.set_peer_cfg = _set_peer_cfg,
 			.get_auth_cfg = _get_auth_cfg,
 			.create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
+			.verify_peer_certificate = _verify_peer_certificate,
 			.add_auth_cfg = _add_auth_cfg,
 			.get_proposal = _get_proposal,
 			.set_proposal = _set_proposal,
@@ -2529,6 +2895,9 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 			.destroy = _destroy,
 			.send_dpd = _send_dpd,
 			.send_keepalive = _send_keepalive,
+			.redirect = _redirect,
+			.handle_redirect = _handle_redirect,
+			.get_redirected_from = _get_redirected_from,
 			.get_keymat = _get_keymat,
 			.add_child_sa = _add_child_sa,
 			.get_child_sa = _get_child_sa,
@@ -2594,6 +2963,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 								"%s.flush_auth_cfg", FALSE, lib->ns),
 		.fragment_size = lib->settings->get_int(lib->settings,
 								"%s.fragment_size", 0, lib->ns),
+		.follow_redirects = lib->settings->get_bool(lib->settings,
+								"%s.follow_redirects", TRUE, lib->ns),
 	);
 
 	if (version == IKEV2)
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 9dbc805c9..836360e3c 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2014 Tobias Brunner
+ * Copyright (C) 2006-2015 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -66,6 +66,16 @@ typedef struct ike_sa_t ike_sa_t;
 #define RETRY_JITTER 20
 
 /**
+ * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
+ */
+#define MAX_REDIRECTS 5
+
+/**
+ * Time period in seconds in which at most MAX_REDIRECTS are allowed.
+ */
+#define REDIRECT_LOOP_DETECT_PERIOD 300
+
+/**
  * Extensions (or optional features) the peer supports
  */
 enum ike_extension_t {
@@ -136,6 +146,11 @@ enum ike_extension_t {
 	 * Signature Authentication, RFC 7427
 	 */
 	EXT_SIGNATURE_AUTH = (1<<12),
+
+	/**
+	 * IKEv2 Redirect Mechanism, RFC 5685
+	 */
+	EXT_IKE_REDIRECTION = (1<<13),
 };
 
 /**
@@ -197,6 +212,16 @@ enum ike_condition_t {
 	 * This IKE_SA is currently being reauthenticated
 	 */
 	COND_REAUTHENTICATING = (1<<10),
+
+	/**
+	 * This IKE_SA has been redirected
+	 */
+	COND_REDIRECTED = (1<<11),
+
+	/**
+	 * Online certificate revocation checking is suspended for this IKE_SA
+	 */
+	COND_ONLINE_VALIDATION_SUSPENDED = (1<<12),
 };
 
 /**
@@ -502,6 +527,14 @@ struct ike_sa_t {
 	enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
 
 	/**
+	 * Verify the trustchains (validity, revocation) in completed public key
+	 * auth rounds.
+	 *
+	 * @return				TRUE if certificates were valid, FALSE otherwise
+	 */
+	bool (*verify_peer_certificate)(ike_sa_t *this);
+
+	/**
 	 * Get the selected proposal of this IKE_SA.
 	 *
 	 * @return				selected proposal
@@ -837,8 +870,36 @@ struct ike_sa_t {
 	 *
 	 * To refresh NAT tables in a NAT router between the peers, periodic empty
 	 * UDP packets are sent if no other traffic was sent.
+	 *
+	 * @param scheduled		if this is a scheduled keepalive
+	 */
+	void (*send_keepalive) (ike_sa_t *this, bool scheduled);
+
+	/**
+	 * Redirect an active IKE_SA.
+	 *
+	 * @param gateway		gateway ID (IP or FQDN) of the target
+	 * @return				state, including DESTROY_ME, if this IKE_SA MUST be
+	 * 						destroyed
+	 */
+	status_t (*redirect)(ike_sa_t *this, identification_t *gateway);
+
+	/**
+	 * Handle a redirect request.
+	 *
+	 * The behavior is different depending on the state of the IKE_SA.
+	 *
+	 * @param gateway		gateway ID (IP or FQDN) of the target
+	 * @return				FALSE if redirect not possible, TRUE otherwise
+	 */
+	bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway);
+
+	/**
+	 * Get the address of the gateway that redirected us.
+	 *
+	 * @return				original gateway address
 	 */
-	void (*send_keepalive) (ike_sa_t *this);
+	host_t *(*get_redirected_from)(ike_sa_t *this);
 
 	/**
 	 * Get the keying material of this IKE_SA.
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 4625df5b8..307ea3b4a 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2005-2011 Martin Willi
  * Copyright (C) 2011 revosec AG
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -17,12 +17,14 @@
  */
 
 #include <string.h>
+#include <inttypes.h>
 
 #include "ike_sa_manager.h"
 
 #include <daemon.h>
 #include <sa/ike_sa_id.h>
 #include <bus/bus.h>
+#include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
@@ -57,9 +59,9 @@ struct entry_t {
 	condvar_t *condvar;
 
 	/**
-	 * Is this ike_sa currently checked out?
+	 * Thread by which this IKE_SA is currently checked out, if any
 	 */
-	bool checked_out;
+	thread_t *checked_out;
 
 	/**
 	 * Does this SA drives out new threads?
@@ -1142,13 +1144,16 @@ METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
 	entry_t *entry;
 	u_int segment;
 
-	DBG2(DBG_MGR, "checkout IKE_SA");
+	DBG2(DBG_MGR, "checkout %N SA with SPIs %.16"PRIx64"_i %.16"PRIx64"_r",
+		 ike_version_names, ike_sa_id->get_ike_version(ike_sa_id),
+		 be64toh(ike_sa_id->get_initiator_spi(ike_sa_id)),
+		 be64toh(ike_sa_id->get_responder_spi(ike_sa_id)));
 
 	if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
 	{
 		if (wait_for_entry(this, entry, segment))
 		{
-			entry->checked_out = TRUE;
+			entry->checked_out = thread_current();
 			ike_sa = entry->ike_sa;
 			DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
 					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
@@ -1156,6 +1161,11 @@ METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
 		unlock_single_segment(this, segment);
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
+
+	if (!ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	return ike_sa;
 }
 
@@ -1228,7 +1238,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 	id = id->clone(id);
 	id->switch_initiator(id);
 
-	DBG2(DBG_MGR, "checkout IKE_SA by message");
+	DBG2(DBG_MGR, "checkout %N SA by message with SPIs %.16"PRIx64"_i "
+		 "%.16"PRIx64"_r", ike_version_names, id->get_ike_version(id),
+		 be64toh(id->get_initiator_spi(id)),
+		 be64toh(id->get_responder_spi(id)));
 
 	if (id->get_responder_spi(id) == 0 &&
 		message->get_message_id(message) == 0)
@@ -1269,7 +1282,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 			DBG1(DBG_MGR, "ignoring message, failed to hash message");
 			DESTROY_IF(hasher);
 			id->destroy(id);
-			return NULL;
+			goto out;
 		}
 		hasher->destroy(hasher);
 
@@ -1288,20 +1301,17 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 						entry = entry_create();
 						entry->ike_sa = ike_sa;
 						entry->ike_sa_id = id;
+						entry->processing = get_message_id_or_hash(message);
+						entry->init_hash = hash;
 
 						segment = put_entry(this, entry);
-						entry->checked_out = TRUE;
+						entry->checked_out = thread_current();
 						unlock_single_segment(this, segment);
 
-						entry->processing = get_message_id_or_hash(message);
-						entry->init_hash = hash;
-
 						DBG2(DBG_MGR, "created IKE_SA %s[%u]",
 							 ike_sa->get_name(ike_sa),
 							 ike_sa->get_unique_id(ike_sa));
-
-						charon->bus->set_sa(charon->bus, ike_sa);
-						return ike_sa;
+						goto out;
 					}
 					else
 					{
@@ -1317,14 +1327,14 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 				remove_init_hash(this, hash);
 				chunk_free(&hash);
 				id->destroy(id);
-				return NULL;
+				goto out;
 			}
 			case FAILED:
 			{	/* we failed to allocate an SPI */
 				chunk_free(&hash);
 				id->destroy(id);
 				DBG1(DBG_MGR, "ignoring message, failed to allocate SPI");
-				return NULL;
+				goto out;
 			}
 			case ALREADY_DONE:
 			default:
@@ -1348,7 +1358,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 			ike_sa_id_t *ike_id;
 
 			ike_id = entry->ike_sa->get_id(entry->ike_sa);
-			entry->checked_out = TRUE;
+			entry->checked_out = thread_current();
 			if (message->get_first_payload_type(message) != PLV1_FRAGMENT &&
 				message->get_first_payload_type(message) != PLV2_FRAGMENT)
 			{	/* TODO-FRAG: this fails if there are unencrypted payloads */
@@ -1369,7 +1379,13 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		charon->bus->alert(charon->bus, ALERT_INVALID_IKE_SPI, message);
 	}
 	id->destroy(id);
+
+out:
 	charon->bus->set_sa(charon->bus, ike_sa);
+	if (!ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	return ike_sa;
 }
 
@@ -1385,11 +1401,11 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 
 	DBG2(DBG_MGR, "checkout IKE_SA by config");
 
-	if (!this->reuse_ikesa)
-	{	/* IKE_SA reuse disable by config */
+	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 		charon->bus->set_sa(charon->bus, ike_sa);
-		return ike_sa;
+		goto out;
 	}
 
 	enumerator = create_table_enumerator(this);
@@ -1411,7 +1427,7 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 			current_ike = current_peer->get_ike_cfg(current_peer);
 			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
 			{
-				entry->checked_out = TRUE;
+				entry->checked_out = thread_current();
 				ike_sa = entry->ike_sa;
 				DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
 						ike_sa->get_unique_id(ike_sa),
@@ -1429,6 +1445,12 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
+
+out:
+	if (!ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	return ike_sa;
 }
 
@@ -1440,7 +1462,7 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
 	ike_sa_t *ike_sa = NULL;
 	u_int segment;
 
-	DBG2(DBG_MGR, "checkout IKE_SA by ID %u", id);
+	DBG2(DBG_MGR, "checkout IKE_SA by unique ID %u", id);
 
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
@@ -1450,7 +1472,7 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
 			if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
 			{
 				ike_sa = entry->ike_sa;
-				entry->checked_out = TRUE;
+				entry->checked_out = thread_current();
 				break;
 			}
 			/* other threads might be waiting for this entry */
@@ -1464,6 +1486,10 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
 		DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
 			 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 	}
+	else
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
@@ -1477,6 +1503,8 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
 	child_sa_t *child_sa;
 	u_int segment;
 
+	DBG2(DBG_MGR, "checkout IKE_SA by%s name '%s'", child ? " child" : "", name);
+
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
@@ -1506,7 +1534,7 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
 			/* got one, return */
 			if (ike_sa)
 			{
-				entry->checked_out = TRUE;
+				entry->checked_out = thread_current();
 				DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
 						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 				break;
@@ -1518,6 +1546,11 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
 	enumerator->destroy(enumerator);
 
 	charon->bus->set_sa(charon->bus, ike_sa);
+
+	if (!ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	return ike_sa;
 }
 
@@ -1598,7 +1631,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 		/* ike_sa_id must be updated */
 		entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
 		/* signal waiting threads */
-		entry->checked_out = FALSE;
+		entry->checked_out = NULL;
 		entry->processing = -1;
 		/* check if this SA is half-open */
 		if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
@@ -1623,7 +1656,6 @@ METHOD(ike_sa_manager_t, checkin, void,
 			entry->other = other->clone(other);
 			put_half_open(this, entry);
 		}
-		DBG2(DBG_MGR, "check-in of IKE_SA successful.");
 		entry->condvar->signal(entry->condvar);
 	}
 	else
@@ -1639,6 +1671,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 		}
 		segment = put_entry(this, entry);
 	}
+	DBG2(DBG_MGR, "checkin of IKE_SA successful");
 
 	/* apply identities for duplicate test */
 	if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
@@ -1657,7 +1690,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 				 * thread can acquire it.  Since it is not yet in the list of
 				 * connected peers that will not cause a deadlock as no other
 				 * caller of check_unqiueness() will try to check out this SA */
-				entry->checked_out = TRUE;
+				entry->checked_out = thread_current();
 				unlock_single_segment(this, segment);
 
 				this->public.check_uniqueness(&this->public, ike_sa, TRUE);
@@ -1668,7 +1701,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 				 * thread is waiting, but it should still exist, so there is no
 				 * need for a lookup via get_entry_by... */
 				lock_single_segment(this, segment);
-				entry->checked_out = FALSE;
+				entry->checked_out = NULL;
 				/* We already signaled waiting threads above, we have to do that
 				 * again after checking the SA out and back in again. */
 				entry->condvar->signal(entry->condvar);
@@ -1711,8 +1744,8 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void,
 		if (entry->driveout_waiting_threads && entry->driveout_new_threads)
 		{	/* it looks like flush() has been called and the SA is being deleted
 			 * anyway, just check it in */
-			DBG2(DBG_MGR, "ignored check-in and destroy of IKE_SA during shutdown");
-			entry->checked_out = FALSE;
+			DBG2(DBG_MGR, "ignored checkin and destroy of IKE_SA during shutdown");
+			entry->checked_out = NULL;
 			entry->condvar->broadcast(entry->condvar);
 			unlock_single_segment(this, segment);
 			return;
@@ -1748,11 +1781,11 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void,
 
 		entry_destroy(entry);
 
-		DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
+		DBG2(DBG_MGR, "checkin and destroy of IKE_SA successful");
 	}
 	else
 	{
-		DBG1(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
+		DBG1(DBG_MGR, "tried to checkin and delete nonexisting IKE_SA");
 		ike_sa->destroy(ike_sa);
 	}
 	charon->bus->set_sa(charon->bus, NULL);
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
index 52228ef2e..eee7dd10b 100644
--- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -173,13 +173,13 @@ METHOD(authenticator_t, process, status_t,
 	sig = sig_payload->get_hash(sig_payload);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, this->type,
-														id, auth);
+														id, auth, TRUE);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
 		if (public->verify(public, scheme, hash, sig))
 		{
 			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-				 id, key_type_names, this->type);
+				 id, signature_scheme_names, scheme);
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index b7047e8fc..c968b2a9c 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -404,7 +404,7 @@ static auth_method_t get_pubkey_method(private_phase1_t *this, auth_cfg_t *auth)
 		id = (identification_t*)auth->get(auth, AUTH_RULE_IDENTITY);
 		if (id)
 		{
-			private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
+			private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, NULL);
 			if (private)
 			{
 				switch (private->get_type(private))
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index b8af6f67b..cb1a31371 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -41,7 +41,6 @@
 
 #include <string.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <sa/ikev1/keymat_v1.h>
 #include <config/peer_cfg.h>
@@ -104,7 +103,7 @@ static bool force_encap(ike_cfg_t *ike_cfg)
 {
 	if (!ike_cfg->force_encap(ike_cfg))
 	{
-		return hydra->kernel_interface->get_features(hydra->kernel_interface) &
+		return charon->kernel->get_features(charon->kernel) &
 					KERNEL_REQUIRE_UDP_ENCAPSULATION;
 	}
 	return TRUE;
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index a03477e18..b9f924009 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -76,35 +76,20 @@ typedef struct {
  */
 static configuration_attribute_t *build_vip(host_t *vip)
 {
-	configuration_attribute_type_t type;
-	chunk_t chunk, prefix;
+	configuration_attribute_type_t type = INTERNAL_IP4_ADDRESS;
+	chunk_t chunk;
 
-	if (vip->get_family(vip) == AF_INET)
+	if (vip->get_family(vip) == AF_INET6)
 	{
-		type = INTERNAL_IP4_ADDRESS;
-		if (vip->is_anyaddr(vip))
-		{
-			chunk = chunk_empty;
-		}
-		else
-		{
-			chunk = vip->get_address(vip);
-		}
+		type = INTERNAL_IP6_ADDRESS;
+	}
+	if (vip->is_anyaddr(vip))
+	{
+		chunk = chunk_empty;
 	}
 	else
 	{
-		type = INTERNAL_IP6_ADDRESS;
-		if (vip->is_anyaddr(vip))
-		{
-			chunk = chunk_empty;
-		}
-		else
-		{
-			prefix = chunk_alloca(1);
-			*prefix.ptr = 64;
-			chunk = vip->get_address(vip);
-			chunk = chunk_cata("cc", chunk, prefix);
-		}
+		chunk = vip->get_address(vip);
 	}
 	return configuration_attribute_create_chunk(PLV1_CONFIGURATION_ATTRIBUTE,
 												type, chunk);
@@ -165,8 +150,8 @@ static void process_attribute(private_mode_config_t *this,
 			}
 			else
 			{
-				/* skip prefix byte in IPv6 payload*/
-				if (family == AF_INET6)
+				/* skip prefix byte in IPv6 payload sent by older releases */
+				if (family == AF_INET6 && addr.len == 17)
 				{
 					addr.len--;
 				}
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index e7d26443b..b4fe04663 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -171,6 +171,11 @@ struct private_quick_mode_t {
 	u_int32_t rekey;
 
 	/**
+	 * Delete old child after successful rekey
+	 */
+	bool delete;
+
+	/**
 	 * Negotiated mode, tunnel or transport
 	 */
 	ipsec_mode_t mode;
@@ -406,8 +411,17 @@ static bool install(private_quick_mode_t *this)
 	if (old)
 	{
 		charon->bus->child_rekey(charon->bus, old, this->child_sa);
-		/* rekeyed CHILD_SAs stay installed until they expire */
+		/* rekeyed CHILD_SAs stay installed until they expire or are deleted
+		 * by the other peer */
 		old->set_state(old, CHILD_REKEYED);
+		/* as initiator we delete the CHILD_SA if configured to do so */
+		if (this->initiator && this->delete)
+		{
+			this->ike_sa->queue_task(this->ike_sa,
+				(task_t*)quick_delete_create(this->ike_sa,
+								this->proposal->get_protocol(this->proposal),
+								this->rekey, TRUE, FALSE));
+		}
 	}
 	else
 	{
@@ -1450,6 +1464,8 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
 		.tsi = tsi ? tsi->clone(tsi) : NULL,
 		.tsr = tsr ? tsr->clone(tsr) : NULL,
 		.proto = PROTO_ESP,
+		.delete = lib->settings->get_bool(lib->settings,
+										  "%s.delete_rekeyed", FALSE, lib->ns),
 	);
 
 	if (config)
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index c0c91574c..ecdfc780d 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -16,7 +16,6 @@
 #include "xauth.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <encoding/payloads/cp_payload.h>
 #include <processing/jobs/adopt_children_job.h>
 #include <sa/ikev1/tasks/mode_config.h>
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 2284a484d..04ccd4f4f 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -55,11 +55,6 @@ struct private_pubkey_authenticator_t {
 	 * Reserved bytes of ID payload
 	 */
 	char reserved[3];
-
-	/**
-	 * Whether to store signature schemes on remote auth configs.
-	 */
-	bool store_signature_scheme;
 };
 
 /**
@@ -130,7 +125,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &rule, &config))
 	{
-		if (rule != AUTH_RULE_SIGNATURE_SCHEME)
+		if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
 		{
 			continue;
 		}
@@ -369,6 +364,8 @@ METHOD(authenticator_t, process, status_t,
 	signature_scheme_t scheme;
 	status_t status = NOT_FOUND;
 	keymat_v2_t *keymat;
+	const char *reason = "unsupported";
+	bool online;
 
 	auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
 	if (!auth_payload)
@@ -397,8 +394,11 @@ METHOD(authenticator_t, process, status_t,
 			{
 				break;
 			}
+			reason = "payload invalid";
 			/* fall-through */
 		default:
+			DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
+				 auth_method, reason);
 			return INVALID_ARG;
 	}
 	id = this->ike_sa->get_other_id(this->ike_sa);
@@ -409,8 +409,10 @@ METHOD(authenticator_t, process, status_t,
 		return FAILED;
 	}
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	online = !this->ike_sa->has_condition(this->ike_sa,
+										  COND_ONLINE_VALIDATION_SUSPENDED);
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-														key_type, id, auth);
+													key_type, id, auth, online);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
 		if (public->verify(public, scheme, octets, auth_data))
@@ -421,9 +423,10 @@ METHOD(authenticator_t, process, status_t,
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-			if (this->store_signature_scheme)
+			auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+			if (!online)
 			{
-				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+				auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
 			}
 			break;
 		}
@@ -497,8 +500,6 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
 		.ike_sa = ike_sa,
 		.ike_sa_init = received_init,
 		.nonce = sent_nonce,
-		.store_signature_scheme = lib->settings->get_bool(lib->settings,
-					"%s.signature_authentication_constraints", TRUE, lib->ns),
 	);
 	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 4676867df..c2f972ab1 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2014 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2007-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -30,10 +30,12 @@
 #include <sa/ikev2/tasks/ike_rekey.h>
 #include <sa/ikev2/tasks/ike_reauth.h>
 #include <sa/ikev2/tasks/ike_reauth_complete.h>
+#include <sa/ikev2/tasks/ike_redirect.h>
 #include <sa/ikev2/tasks/ike_delete.h>
 #include <sa/ikev2/tasks/ike_config.h>
 #include <sa/ikev2/tasks/ike_dpd.h>
 #include <sa/ikev2/tasks/ike_vendor.h>
+#include <sa/ikev2/tasks/ike_verify_peer_cert.h>
 #include <sa/ikev2/tasks/child_create.h>
 #include <sa/ikev2/tasks/child_rekey.h>
 #include <sa/ikev2/tasks/child_delete.h>
@@ -474,6 +476,11 @@ METHOD(task_manager_t, initiate, status_t,
 					exchange = INFORMATIONAL;
 					break;
 				}
+				if (activate_task(this, TASK_IKE_REDIRECT))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
 				if (activate_task(this, TASK_CHILD_DELETE))
 				{
 					exchange = INFORMATIONAL;
@@ -521,6 +528,11 @@ METHOD(task_manager_t, initiate, status_t,
 					exchange = INFORMATIONAL;
 					break;
 				}
+				if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
 			case IKE_REKEYING:
 				if (activate_task(this, TASK_IKE_DELETE))
 				{
@@ -618,7 +630,7 @@ METHOD(task_manager_t, initiate, status_t,
 	if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
 	{
 		message->destroy(message);
-		return SUCCESS;
+		return initiate(this);
 	}
 
 	if (!generate_message(this, message, &this->initiating.packets))
@@ -656,6 +668,32 @@ static status_t process_response(private_task_manager_t *this,
 		return DESTROY_ME;
 	}
 
+	enumerator = array_create_enumerator(this->active_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (!task->pre_process)
+		{
+			continue;
+		}
+		switch (task->pre_process(task, message))
+		{
+			case SUCCESS:
+				break;
+			case FAILED:
+			default:
+				/* just ignore the message */
+				DBG1(DBG_IKE, "ignore invalid %N response",
+					 exchange_type_names, message->get_exchange_type(message));
+				enumerator->destroy(enumerator);
+				return SUCCESS;
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				enumerator->destroy(enumerator);
+				return DESTROY_ME;
+		}
+	}
+	enumerator->destroy(enumerator);
+
 	/* catch if we get resetted while processing */
 	this->reset = FALSE;
 	enumerator = array_create_enumerator(this->active_tasks);
@@ -992,6 +1030,11 @@ static status_t process_request(private_task_manager_t *this,
 									 * invokes all the required hooks. */
 									task = (task_t*)ike_delete_create(
 														this->ike_sa, FALSE);
+									break;
+								case REDIRECT:
+									task = (task_t*)ike_redirect_create(
+															this->ike_sa, NULL);
+									break;
 								default:
 									break;
 							}
@@ -1041,6 +1084,44 @@ static status_t process_request(private_task_manager_t *this,
 		}
 	}
 
+	enumerator = array_create_enumerator(this->passive_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (!task->pre_process)
+		{
+			continue;
+		}
+		switch (task->pre_process(task, message))
+		{
+			case SUCCESS:
+				break;
+			case FAILED:
+			default:
+				/* just ignore the message */
+				DBG1(DBG_IKE, "ignore invalid %N request",
+					 exchange_type_names, message->get_exchange_type(message));
+				enumerator->destroy(enumerator);
+				switch (message->get_exchange_type(message))
+				{
+					case IKE_SA_INIT:
+						/* no point in keeping the SA when it was created with
+						 * an invalid IKE_SA_INIT message */
+						return DESTROY_ME;
+					default:
+						/* remove tasks we queued for this request */
+						flush_queue(this, TASK_QUEUE_PASSIVE);
+						/* fall-through */
+					case IKE_AUTH:
+						return NEED_MORE;
+				}
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				enumerator->destroy(enumerator);
+				return DESTROY_ME;
+		}
+	}
+	enumerator->destroy(enumerator);
+
 	/* let the tasks process the message */
 	enumerator = array_create_enumerator(this->passive_tasks);
 	while (enumerator->enumerate(enumerator, (void*)&task))
@@ -1331,12 +1412,17 @@ METHOD(task_manager_t, process_message, status_t,
 			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
 				return SUCCESS;
 			}
-			if (process_request(this, msg) != SUCCESS)
+			switch (process_request(this, msg))
 			{
-				flush(this);
-				return DESTROY_ME;
+				case SUCCESS:
+					this->responding.mid++;
+					break;
+				case NEED_MORE:
+					break;
+				default:
+					flush(this);
+					return DESTROY_ME;
 			}
-			this->responding.mid++;
 		}
 		else if ((mid == this->responding.mid - 1) &&
 				 array_count(this->responding.packets))
@@ -1570,8 +1656,12 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 	}
 	enumerator->destroy(enumerator);
 
+	/* suspend online revocation checking until the SA is established */
+	new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
+
 	if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
 	{
+		new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
 		new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
 										this->ike_sa->get_id(this->ike_sa)));
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 97f73d851..3d4ded944 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -18,7 +18,6 @@
 #include "child_create.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <sa/ikev2/keymat_v2.h>
 #include <crypto/diffie_hellman.h>
 #include <credentials/certificates/x509.h>
@@ -786,7 +785,7 @@ static bool build_payloads(private_child_create_t *this, message_t *message)
 			break;
 	}
 
-	features = hydra->kernel_interface->get_features(hydra->kernel_interface);
+	features = charon->kernel->get_features(charon->kernel);
 	if (!(features & KERNEL_ESP_V3_TFC))
 	{
 		message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED,
@@ -1221,6 +1220,10 @@ METHOD(task_t, build_r, status_t,
 			{	/* wait until all authentication round completed */
 				return NEED_MORE;
 			}
+			if (this->ike_sa->has_condition(this->ike_sa, COND_REDIRECTED))
+			{	/* no CHILD_SA is created for redirected SAs */
+				return SUCCESS;
+			}
 			ike_auth = TRUE;
 		default:
 			break;
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index c7a8a1342..6f0c2b2c7 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -279,11 +279,15 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 			/* don't touch child other created, it has already been deleted */
 			if (!this->other_child_destroyed)
 			{
-				/* disable close action for the redundand child */
+				/* disable close action and updown event for redundant child */
 				child_sa = other->child_create->get_child(other->child_create);
 				if (child_sa)
 				{
 					child_sa->set_close_action(child_sa, ACTION_NONE);
+					if (child_sa->get_state(child_sa) != CHILD_REKEYING)
+					{
+						child_sa->set_state(child_sa, CHILD_REKEYING);
+					}
 				}
 			}
 		}
@@ -372,6 +376,11 @@ METHOD(task_t, process_i, status_t,
 	{
 		return SUCCESS;
 	}
+	/* disable updown event for redundant CHILD_SA */
+	if (to_delete->get_state(to_delete) != CHILD_REKEYING)
+	{
+		to_delete->set_state(to_delete, CHILD_REKEYING);
+	}
 	spi = to_delete->get_spi(to_delete, TRUE);
 	protocol = to_delete->get_protocol(to_delete);
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 2554496c1..79a436fbf 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,6 +25,7 @@
 #include <encoding/payloads/eap_payload.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <sa/ikev2/authenticators/eap_authenticator.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_ike_auth_t private_ike_auth_t;
 
@@ -117,6 +118,11 @@ struct private_ike_auth_t {
 	 * Is EAP acceptable, did we strictly authenticate peer?
 	 */
 	bool eap_acceptable;
+
+	/**
+	 * Gateway ID if redirected
+	 */
+	identification_t *redirect_to;
 };
 
 /**
@@ -685,6 +691,7 @@ METHOD(task_t, process_r, status_t,
 METHOD(task_t, build_r, status_t,
 	private_ike_auth_t *this, message_t *message)
 {
+	identification_t *gateway;
 	auth_cfg_t *cfg;
 
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
@@ -817,34 +824,56 @@ METHOD(task_t, build_r, status_t,
 	{
 		this->do_another_auth = FALSE;
 	}
-	if (!this->do_another_auth && !this->expect_another_auth)
+	if (this->do_another_auth || this->expect_another_auth)
 	{
-		if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-													 this->ike_sa, FALSE))
-		{
-			DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
-			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
-			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-								chunk_empty);
-			return FAILED;
-		}
-		if (!charon->bus->authorize(charon->bus, TRUE))
-		{
-			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
-			goto peer_auth_failed;
-		}
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-			 this->ike_sa->get_name(this->ike_sa),
-			 this->ike_sa->get_unique_id(this->ike_sa),
-			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa),
-			 this->ike_sa->get_other_host(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-		return SUCCESS;
+		return NEED_MORE;
 	}
-	return NEED_MORE;
+
+	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+												 this->ike_sa, FALSE))
+	{
+		DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
+		charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
+		message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+							chunk_empty);
+		return FAILED;
+	}
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		goto peer_auth_failed;
+	}
+	if (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_REDIRECTION) &&
+		charon->redirect->redirect_on_auth(charon->redirect, this->ike_sa,
+										   &gateway))
+	{
+		delete_ike_sa_job_t *job;
+		chunk_t data;
+
+		DBG1(DBG_IKE, "redirecting peer to %Y", gateway);
+		data = redirect_data_create(gateway, chunk_empty);
+		message->add_notify(message, FALSE, REDIRECT, data);
+		gateway->destroy(gateway);
+		chunk_free(&data);
+		/* we use this condition to prevent the CHILD_SA from getting created */
+		this->ike_sa->set_condition(this->ike_sa, COND_REDIRECTED, TRUE);
+		/* if the peer does not delete the SA we do so after a while */
+		job = delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
+						lib->settings->get_int(lib->settings,
+							"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
+							lib->ns));
+	}
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+	return SUCCESS;
 
 peer_auth_failed:
 	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -964,6 +993,15 @@ METHOD(task_t, process_i, status_t,
 				case ME_ENDPOINT:
 					/* handled in ike_me task */
 					break;
+				case REDIRECT:
+					DESTROY_IF(this->redirect_to);
+					this->redirect_to = redirect_data_parse(
+								notify->get_notification_data(notify), NULL);
+					if (!this->redirect_to)
+					{
+						DBG1(DBG_IKE, "received invalid REDIRECT notify");
+					}
+					break;
 				default:
 				{
 					if (type <= 16383)
@@ -1094,30 +1132,35 @@ METHOD(task_t, process_i, status_t,
 	{
 		this->expect_another_auth = FALSE;
 	}
-	if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
+	if (this->expect_another_auth || this->do_another_auth || this->my_auth)
 	{
-		if (!update_cfg_candidates(this, TRUE))
-		{
-			goto peer_auth_failed;
-		}
-		if (!charon->bus->authorize(charon->bus, TRUE))
-		{
-			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
-					      "cancelling");
-			goto peer_auth_failed;
-		}
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-			 this->ike_sa->get_name(this->ike_sa),
-			 this->ike_sa->get_unique_id(this->ike_sa),
-			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa),
-			 this->ike_sa->get_other_host(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-		return SUCCESS;
+		return NEED_MORE;
 	}
-	return NEED_MORE;
+	if (!update_cfg_candidates(this, TRUE))
+	{
+		goto peer_auth_failed;
+	}
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
+				      "cancelling");
+		goto peer_auth_failed;
+	}
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+	if (this->redirect_to)
+	{
+		this->ike_sa->handle_redirect(this->ike_sa, this->redirect_to);
+	}
+	return SUCCESS;
 
 peer_auth_failed:
 	charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
@@ -1141,6 +1184,7 @@ METHOD(task_t, migrate, void,
 	DESTROY_IF(this->peer_cfg);
 	DESTROY_IF(this->my_auth);
 	DESTROY_IF(this->other_auth);
+	DESTROY_IF(this->redirect_to);
 	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
 
 	this->my_packet = NULL;
@@ -1149,6 +1193,7 @@ METHOD(task_t, migrate, void,
 	this->peer_cfg = NULL;
 	this->my_auth = NULL;
 	this->other_auth = NULL;
+	this->redirect_to = NULL;
 	this->do_another_auth = TRUE;
 	this->expect_another_auth = TRUE;
 	this->authentication_failed = FALSE;
@@ -1165,6 +1210,7 @@ METHOD(task_t, destroy, void,
 	DESTROY_IF(this->my_auth);
 	DESTROY_IF(this->other_auth);
 	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->redirect_to);
 	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
 	free(this);
 }
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
index 646f20c61..6c42b81a6 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -333,6 +333,11 @@ METHOD(task_t, build_r, status_t,
 		linked_list_t *vips, *pools;
 		host_t *requested;
 
+		if (this->ike_sa->has_condition(this->ike_sa, COND_REDIRECTED))
+		{	/* don't assign attributes for redirected SAs */
+			return SUCCESS;
+		}
+
 		id = this->ike_sa->get_other_eap_id(this->ike_sa);
 		config = this->ike_sa->get_peer_cfg(this->ike_sa);
 		vips = linked_list_create();
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 1ff643d62..78579be95 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -118,6 +118,11 @@ struct private_ike_init_t {
 	 * Whether to use Signature Authentication as per RFC 7427
 	 */
 	bool signature_authentication;
+
+	/**
+	 * Whether to follow IKEv2 redirects as per RFC 5685
+	 */
+	bool follow_redirects;
 };
 
 /**
@@ -166,7 +171,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 			enumerator = auth->create_enumerator(auth);
 			while (enumerator->enumerate(enumerator, &rule, &config))
 			{
-				if (rule == AUTH_RULE_SIGNATURE_SCHEME)
+				if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME)
 				{
 					hash = hasher_from_signature_scheme(config);
 					if (hasher_algorithm_for_ikev2(hash))
@@ -324,6 +329,29 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
 			send_supported_hash_algorithms(this, message);
 		}
 	}
+	/* notify other peer if we support redirection */
+	if (!this->old_sa && this->initiator && this->follow_redirects)
+	{
+		identification_t *gateway;
+		host_t *from;
+		chunk_t data;
+
+		from = this->ike_sa->get_redirected_from(this->ike_sa);
+		if (from)
+		{
+			gateway = identification_create_from_sockaddr(
+													from->get_sockaddr(from));
+			data = redirect_data_create(gateway, chunk_empty);
+			message->add_notify(message, FALSE, REDIRECTED_FROM, data);
+			chunk_free(&data);
+			gateway->destroy(gateway);
+		}
+		else
+		{
+			message->add_notify(message, FALSE, REDIRECT_SUPPORTED,
+								chunk_empty);
+		}
+	}
 	return TRUE;
 }
 
@@ -391,6 +419,30 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 							handle_supported_hash_algorithms(this, notify);
 						}
 						break;
+					case REDIRECTED_FROM:
+					{
+						identification_t *gateway;
+						chunk_t data;
+
+						data = notify->get_notification_data(notify);
+						gateway = redirect_data_parse(data, NULL);
+						if (!gateway)
+						{
+							DBG1(DBG_IKE, "received invalid REDIRECTED_FROM "
+								 "notify, ignored");
+							break;
+						}
+						DBG1(DBG_IKE, "client got redirected from %Y", gateway);
+						gateway->destroy(gateway);
+						/* fall-through */
+					}
+					case REDIRECT_SUPPORTED:
+						if (!this->old_sa)
+						{
+							this->ike_sa->enable_extension(this->ike_sa,
+														   EXT_IKE_REDIRECTION);
+						}
+						break;
 					default:
 						/* other notifies are handled elsewhere */
 						break;
@@ -550,6 +602,8 @@ static bool derive_keys(private_ike_init_t *this,
 METHOD(task_t, build_r, status_t,
 	private_ike_init_t *this, message_t *message)
 {
+	identification_t *gateway;
+
 	/* check if we have everything we need */
 	if (this->proposal == NULL ||
 		this->other_nonce.len == 0 || this->my_nonce.len == 0)
@@ -560,6 +614,22 @@ METHOD(task_t, build_r, status_t,
 	}
 	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
+	/* check if we'd have to redirect the client */
+	if (!this->old_sa &&
+		this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_REDIRECTION) &&
+		charon->redirect->redirect_on_init(charon->redirect, this->ike_sa,
+										   &gateway))
+	{
+		chunk_t data;
+
+		DBG1(DBG_IKE, "redirecting peer to %Y", gateway);
+		data = redirect_data_create(gateway, this->other_nonce);
+		message->add_notify(message, TRUE, REDIRECT, data);
+		gateway->destroy(gateway);
+		chunk_free(&data);
+		return FAILED;
+	}
+
 	if (this->dh == NULL ||
 		!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
@@ -623,6 +693,54 @@ static void raise_alerts(private_ike_init_t *this, notify_type_t type)
 	}
 }
 
+METHOD(task_t, pre_process_i, status_t,
+	private_ike_init_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	/* check for erroneous notifies */
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == PLV2_NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+
+			switch (type)
+			{
+				case REDIRECT:
+				{
+					identification_t *gateway;
+					chunk_t data, nonce = chunk_empty;
+					status_t status = SUCCESS;
+
+					if (this->old_sa)
+					{
+						break;
+					}
+					data = notify->get_notification_data(notify);
+					gateway = redirect_data_parse(data, &nonce);
+					if (!gateway || !chunk_equals(nonce, this->my_nonce))
+					{
+						DBG1(DBG_IKE, "received invalid REDIRECT notify");
+						status = FAILED;
+					}
+					DESTROY_IF(gateway);
+					chunk_free(&nonce);
+					enumerator->destroy(enumerator);
+					return status;
+				}
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return SUCCESS;
+}
+
 METHOD(task_t, process_i, status_t,
 	private_ike_init_t *this, message_t *message)
 {
@@ -678,6 +796,29 @@ METHOD(task_t, process_i, status_t,
 					this->retry++;
 					return NEED_MORE;
 				}
+				case REDIRECT:
+				{
+					identification_t *gateway;
+					chunk_t data, nonce = chunk_empty;
+					status_t status = FAILED;
+
+					if (this->old_sa)
+					{
+						DBG1(DBG_IKE, "received REDIRECT notify during rekeying"
+						     ", ignored");
+						break;
+					}
+					data = notify->get_notification_data(notify);
+					gateway = redirect_data_parse(data, &nonce);
+					if (this->ike_sa->handle_redirect(this->ike_sa, gateway))
+					{
+						status = NEED_MORE;
+					}
+					DESTROY_IF(gateway);
+					chunk_free(&nonce);
+					enumerator->destroy(enumerator);
+					return status;
+				}
 				default:
 				{
 					if (type <= 16383)
@@ -802,6 +943,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 		.old_sa = old_sa,
 		.signature_authentication = lib->settings->get_bool(lib->settings,
 								"%s.signature_authentication", TRUE, lib->ns),
+		.follow_redirects = lib->settings->get_bool(lib->settings,
+								"%s.follow_redirects", TRUE, lib->ns),
 	);
 	this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
 
@@ -809,6 +952,7 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 	{
 		this->public.task.build = _build_i;
 		this->public.task.process = _process_i;
+		this->public.task.pre_process = _pre_process_i;
 	}
 	else
 	{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c
index a7e7505a1..10d412ffd 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_me.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.c
@@ -17,7 +17,6 @@
 
 #include <string.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <config/peer_cfg.h>
 #include <encoding/payloads/id_payload.h>
@@ -135,8 +134,8 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 	host = this->ike_sa->get_my_host(this->ike_sa);
 	port = host->get_port(host);
 
-	enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, ADDR_TYPE_REGULAR);
+	enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+														   ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, (void**)&addr))
 	{
 		host = addr->clone(addr);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index cbdc5e797..3f7bb175f 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -18,7 +18,6 @@
 
 #include <string.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <sa/ikev2/tasks/ike_natd.h>
 #include <encoding/payloads/notify_payload.h>
@@ -196,8 +195,8 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 	int added = 0;
 
 	me = this->ike_sa->get_my_host(this->ike_sa);
-	enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, ADDR_TYPE_REGULAR);
+	enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+														   ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, (void**)&host))
 	{
 		if (me->ip_equals(me, host))
@@ -333,8 +332,7 @@ METHOD(ike_mobike_t, transmit, bool,
 
 	if (!this->check)
 	{
-		me = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
-													  other_old, me_old);
+		me = charon->kernel->get_source_addr(charon->kernel, other_old, me_old);
 		if (me)
 		{
 			if (me->ip_equals(me, me_old))
@@ -372,8 +370,7 @@ METHOD(ike_mobike_t, transmit, bool,
 		{
 			continue;
 		}
-		me = hydra->kernel_interface->get_source_addr(
-										hydra->kernel_interface, other, NULL);
+		me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
 		if (me)
 		{
 			/* reuse port for an active address, 4500 otherwise */
@@ -407,7 +404,7 @@ METHOD(task_t, build_i, status_t,
 
 		/* we check if the existing address is still valid */
 		old = message->get_source(message);
-		new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+		new = charon->kernel->get_source_addr(charon->kernel,
 										message->get_destination(message), old);
 		if (new)
 		{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index dd34c1234..4bf5264dd 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -18,7 +18,6 @@
 
 #include <string.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <config/peer_cfg.h>
 #include <crypto/hashers/hasher.h>
@@ -86,7 +85,7 @@ static bool force_encap(ike_cfg_t *ike_cfg)
 {
 	if (!ike_cfg->force_encap(ike_cfg))
 	{
-		return hydra->kernel_interface->get_features(hydra->kernel_interface) &
+		return charon->kernel->get_features(charon->kernel) &
 					KERNEL_REQUIRE_UDP_ENCAPSULATION;
 	}
 	return TRUE;
@@ -327,7 +326,7 @@ METHOD(task_t, build_i, status_t,
 	}
 	else
 	{
-		host = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+		host = charon->kernel->get_source_addr(charon->kernel,
 							this->ike_sa->get_other_host(this->ike_sa), NULL);
 		if (host)
 		{	/* 2. */
@@ -341,8 +340,8 @@ METHOD(task_t, build_i, status_t,
 		}
 		else
 		{	/* 3. */
-			enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, ADDR_TYPE_REGULAR);
+			enumerator = charon->kernel->create_address_enumerator(
+											charon->kernel, ADDR_TYPE_REGULAR);
 			while (enumerator->enumerate(enumerator, (void**)&host))
 			{
 				/* apply port 500 to host, but work on a copy */
diff --git a/src/libcharon/sa/ikev2/tasks/ike_redirect.c b/src/libcharon/sa/ikev2/tasks/ike_redirect.c
new file mode 100644
index 000000000..f82c80f71
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_redirect.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_redirect.h"
+
+#include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_ike_redirect_t private_ike_redirect_t;
+
+/**
+ * Private members
+ */
+struct private_ike_redirect_t {
+
+	/**
+	 * Public interface
+	 */
+	ike_redirect_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Gateway ID to redirect to
+	 */
+	identification_t *gateway;
+};
+
+METHOD(task_t, build_i, status_t,
+	private_ike_redirect_t *this, message_t *message)
+{
+	chunk_t data;
+
+	DBG1(DBG_IKE, "redirecting peer to %Y", this->gateway);
+	data = redirect_data_create(this->gateway, chunk_empty);
+	message->add_notify(message, FALSE, REDIRECT, data);
+	chunk_free(&data);
+	this->ike_sa->set_condition(this->ike_sa, COND_REDIRECTED, TRUE);
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_ike_redirect_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	identification_t *to;
+
+	notify = message->get_notify(message, REDIRECT);
+	if (!notify)
+	{
+		return SUCCESS;
+	}
+
+	to = redirect_data_parse(notify->get_notification_data(notify), NULL);
+	if (!to)
+	{
+		DBG1(DBG_IKE, "received invalid REDIRECT notify");
+	}
+	else
+	{
+		this->ike_sa->handle_redirect(this->ike_sa, to);
+		to->destroy(to);
+	}
+	return SUCCESS;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_ike_redirect_t *this, message_t *message)
+{
+	/* not called because SUCCESS is returned above */
+	return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_ike_redirect_t *this, message_t *message)
+{
+	delete_ike_sa_job_t *job;
+
+	/* if the peer does not delete the SA we do so after a while */
+	job = delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE);
+	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
+					lib->settings->get_int(lib->settings,
+							"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
+							lib->ns));
+	return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_redirect_t *this)
+{
+	return TASK_IKE_REDIRECT;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_redirect_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_redirect_t *this)
+{
+	DESTROY_IF(this->gateway);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_redirect_t *ike_redirect_create(ike_sa_t *ike_sa, identification_t *to)
+{
+	private_ike_redirect_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.build = _build_r,
+				.process = _process_r,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+	);
+
+	if (to)
+	{
+		this->gateway = to->clone(to);
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_redirect.h b/src/libcharon/sa/ikev2/tasks/ike_redirect.h
new file mode 100644
index 000000000..afa00ce5d
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_redirect.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_redirect ike_redirect
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_REDIRECT_H_
+#define IKE_REDIRECT_H_
+
+typedef struct ike_redirect_t ike_redirect_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task that handles redirection requests for established SAs.
+ */
+struct ike_redirect_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_redirect_t task.
+ *
+ * As initiator (i.e. original responder) pass the ID of the target gateway,
+ * as responder (i.e. original initiator) this argument is NULL.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param to			gateway ID (gets cloned), or NULL as responder
+ * @return				task instance
+ */
+ike_redirect_t *ike_redirect_create(ike_sa_t *ike_sa,
+									identification_t *to);
+
+#endif /** IKE_REDIRECT_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
index cb3c270dc..e85b276e8 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -13,6 +13,29 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "ike_vendor.h"
 
 #include <daemon.h>
@@ -49,6 +72,8 @@ typedef struct {
 	char *desc;
 	/* extension flag negotiated with vendor ID, if any */
 	ike_extension_t extension;
+	/* Value from strongswan.conf, whether to send vendor ID */
+	char *setting;
 	/* length of vendor ID string, 0 for NULL terminated */
 	int len;
 	/* vendor ID string */
@@ -68,23 +93,23 @@ static chunk_t get_vid_data(vid_data_t *data)
  */
 static vid_data_t vids[] = {
 	/* strongSwan MD5("strongSwan") */
-	{ "strongSwan", EXT_STRONGSWAN, 16,
+	{ "strongSwan", EXT_STRONGSWAN, "send_vendor_id", 16,
 	  "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
-	{ "Cisco Delete Reason", 0, 0,
+	{ "Cisco Delete Reason", 0, NULL, 0,
 	  "CISCO-DELETE-REASON" },
-	{ "Cisco Copyright (c) 2009", 0, 0,
+	{ "Cisco Copyright (c) 2009", 0, NULL, 0,
 	  "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },
-	{ "FRAGMENTATION", 0, 16,
+	{ "FRAGMENTATION", 0, NULL, 16,
 	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3"},
-	{ "MS NT5 ISAKMPOAKLEY v7", 0, 20,
+	{ "MS NT5 ISAKMPOAKLEY v7", 0, NULL, 20,
 	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x07"},
-	{ "MS NT5 ISAKMPOAKLEY v8", 0, 20,
+	{ "MS NT5 ISAKMPOAKLEY v8", 0, NULL, 20,
 	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x08"},
-	{ "MS NT5 ISAKMPOAKLEY v9", 0, 20,
+	{ "MS NT5 ISAKMPOAKLEY v9", 0, NULL, 20,
 	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x09"},
-	{ "MS-Negotiation Discovery Capable", 0, 16,
+	{ "MS-Negotiation Discovery Capable", 0, NULL, 16,
 	  "\xfb\x1d\xe3\xcd\xf3\x41\xb7\xea\x16\xb7\xe5\xbe\x08\x55\xf1\x20"},
-	{ "Vid-Initial-Contact", 0, 16,
+	{ "Vid-Initial-Contact", 0, NULL, 16,
 	  "\x26\x24\x4d\x38\xed\xdb\x61\xb3\x17\x2a\x36\xe3\xd0\xcf\xb8\x19"},
 };
 
@@ -92,14 +117,19 @@ METHOD(task_t, build, status_t,
 	private_ike_vendor_t *this, message_t *message)
 {
 	vendor_id_payload_t *vid;
-	bool strongswan;
+	bool send_vid;
 	int i;
 
-	strongswan = lib->settings->get_bool(lib->settings,
-							"%s.send_vendor_id", FALSE, lib->ns);
 	for (i = 0; i < countof(vids); i++)
 	{
-		if (vids[i].extension == EXT_STRONGSWAN && strongswan)
+		send_vid = FALSE;
+
+		if (vids[i].setting)
+		{
+			send_vid = lib->settings->get_bool(lib->settings, "%s.%s", send_vid,
+											   lib->ns, vids[i].setting);
+		}
+		if (send_vid)
 		{
 			DBG2(DBG_IKE, "sending %s vendor ID", vids[i].desc);
 			vid = vendor_id_payload_create_data(PLV2_VENDOR_ID,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c
new file mode 100644
index 000000000..069d51d00
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_verify_peer_cert.h"
+
+#include <daemon.h>
+#include <sa/ikev2/tasks/ike_delete.h>
+
+typedef struct private_ike_verify_peer_cert_t private_ike_verify_peer_cert_t;
+
+/**
+ * Private members
+ */
+struct private_ike_verify_peer_cert_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_verify_peer_cert_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Child ike_delete task, if necessary
+	 */
+	ike_delete_t *ike_delete;
+};
+
+METHOD(task_t, build_i, status_t,
+	private_ike_verify_peer_cert_t *this, message_t *message)
+{
+	if (!this->ike_sa->verify_peer_certificate(this->ike_sa))
+	{
+		DBG1(DBG_IKE, "peer certificate verification failed, deleting SA");
+		this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
+		return this->ike_delete->task.build(&this->ike_delete->task, message);
+	}
+	DBG1(DBG_IKE, "peer certificate successfully verified");
+	message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+	return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_ike_verify_peer_cert_t *this, message_t *message)
+{
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.process(&this->ike_delete->task, message);
+		/* try to reestablish the IKE_SA and all children */
+		this->ike_sa->reestablish(this->ike_sa);
+	}
+	return DESTROY_ME;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_verify_peer_cert_t *this)
+{
+	return TASK_IKE_VERIFY_PEER_CERT;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_verify_peer_cert_t *this, ike_sa_t *ike_sa)
+{
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.migrate(&this->ike_delete->task, ike_sa);
+	}
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_verify_peer_cert_t *this)
+{
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.destroy(&this->ike_delete->task);
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_verify_peer_cert_t *ike_verify_peer_cert_create(ike_sa_t *ike_sa)
+{
+	private_ike_verify_peer_cert_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.build = _build_i,
+				.process = _process_i,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h
new file mode 100644
index 000000000..3d9aae0b3
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_verify_peer_cert ike_verify_peer_cert
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_VERIFY_PEER_CERT_H_
+#define IKE_VERIFY_PEER_CERT_H_
+
+typedef struct ike_verify_peer_cert_t ike_verify_peer_cert_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_verify_peer_cert, verifies a peer's certificate.
+ *
+ * This task (re-)verifies the peer's certificate explicitly including online
+ * OCSP and CRL checks.
+ */
+struct ike_verify_peer_cert_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_verify_peer_cert task.
+ *
+ * This task is initiator only.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @return				ike_verify_peer_cert task to handle by the task_manager
+ */
+ike_verify_peer_cert_t *ike_verify_peer_cert_create(ike_sa_t *ike_sa);
+
+#endif /** IKE_VERIFY_PEER_CERT_H_ @}*/
diff --git a/src/libcharon/sa/redirect_manager.c b/src/libcharon/sa/redirect_manager.c
new file mode 100644
index 000000000..ff92ac29f
--- /dev/null
+++ b/src/libcharon/sa/redirect_manager.c
@@ -0,0 +1,274 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "redirect_manager.h"
+
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+typedef struct private_redirect_manager_t private_redirect_manager_t;
+
+/**
+ * Private data
+ */
+struct private_redirect_manager_t {
+
+	/**
+	 * Public interface
+	 */
+	redirect_manager_t public;
+
+	/**
+	 * Registered providers
+	 */
+	linked_list_t *providers;
+
+	/**
+	 * Lock to access list of providers
+	 */
+	rwlock_t *lock;
+};
+
+
+/**
+ * Gateway identify types
+ *
+ * The encoding is the same as that for corresponding ID payloads.
+ */
+typedef enum {
+	/** IPv4 address of the VPN gateway */
+	GATEWAY_ID_TYPE_IPV4 = 1,
+	/** IPv6 address of the VPN gateway */
+	GATEWAY_ID_TYPE_IPV6 = 2,
+	/** FQDN of the VPN gateway */
+	GATEWAY_ID_TYPE_FQDN = 3,
+} gateway_id_type_t;
+
+/**
+ * Mapping of gateway identity types to identity types
+ */
+static id_type_t gateway_to_id_type(gateway_id_type_t type)
+{
+	switch (type)
+	{
+		case GATEWAY_ID_TYPE_IPV4:
+			return ID_IPV4_ADDR;
+		case GATEWAY_ID_TYPE_IPV6:
+			return ID_IPV6_ADDR;
+		case GATEWAY_ID_TYPE_FQDN:
+			return ID_FQDN;
+		default:
+			return 0;
+	}
+}
+
+/**
+ * Mapping of identity types to gateway identity types
+ */
+static gateway_id_type_t id_type_to_gateway(id_type_t type)
+{
+	switch (type)
+	{
+		case ID_IPV4_ADDR:
+			return GATEWAY_ID_TYPE_IPV4;
+		case ID_IPV6_ADDR:
+			return GATEWAY_ID_TYPE_IPV6;
+		case ID_FQDN:
+			return GATEWAY_ID_TYPE_FQDN;
+		default:
+			return 0;
+	}
+}
+
+METHOD(redirect_manager_t, add_provider, void,
+	private_redirect_manager_t *this, redirect_provider_t *provider)
+{
+	this->lock->write_lock(this->lock);
+	this->providers->insert_last(this->providers, provider);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(redirect_manager_t, remove_provider, void,
+	private_redirect_manager_t *this, redirect_provider_t *provider)
+{
+	this->lock->write_lock(this->lock);
+	this->providers->remove(this->providers, provider, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Determine whether a client should be redirected using the callback with the
+ * given offset into the redirect_provider_t interface.
+ */
+static bool should_redirect(private_redirect_manager_t *this, ike_sa_t *ike_sa,
+							identification_t **gateway, size_t offset)
+{
+	enumerator_t *enumerator;
+	void *provider;
+	bool redirect = FALSE;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		bool (**method)(void*,ike_sa_t*,identification_t**) = provider + offset;
+		if (*method && (*method)(provider, ike_sa, gateway))
+		{
+			if (*gateway && id_type_to_gateway((*gateway)->get_type(*gateway)))
+			{
+				redirect = TRUE;
+				break;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "redirect provider returned invalid gateway ID");
+				DESTROY_IF(*gateway);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return redirect;
+}
+
+METHOD(redirect_manager_t, redirect_on_init, bool,
+	private_redirect_manager_t *this, ike_sa_t *ike_sa,
+	identification_t **gateway)
+{
+	return should_redirect(this, ike_sa, gateway,
+						   offsetof(redirect_provider_t, redirect_on_init));
+}
+
+METHOD(redirect_manager_t, redirect_on_auth, bool,
+	private_redirect_manager_t *this, ike_sa_t *ike_sa,
+	identification_t **gateway)
+{
+	return should_redirect(this, ike_sa, gateway,
+						   offsetof(redirect_provider_t, redirect_on_auth));
+}
+
+METHOD(redirect_manager_t, destroy, void,
+	private_redirect_manager_t *this)
+{
+	this->providers->destroy(this->providers);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+redirect_manager_t *redirect_manager_create()
+{
+	private_redirect_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.add_provider = _add_provider,
+			.remove_provider = _remove_provider,
+			.redirect_on_init = _redirect_on_init,
+			.redirect_on_auth = _redirect_on_auth,
+			.destroy = _destroy,
+		},
+		.providers = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
+/*
+ * Encoding of a REDIRECT or REDIRECTED_FROM notify
+ *
+                         1                   2                   3
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    | Next Payload  |C|  RESERVED   |         Payload Length        |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |Protocol ID(=0)| SPI Size (=0) |      Notify Message Type      |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    | GW Ident Type |  GW Ident Len |                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               ~
+    ~                   New Responder GW Identity                   ~
+    |                                                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |                                                               |
+    ~                        Nonce Data                             ~
+    |                                                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/*
+ * Described in header
+ */
+chunk_t redirect_data_create(identification_t *gw, chunk_t nonce)
+{
+	gateway_id_type_t type;
+	bio_writer_t *writer;
+	chunk_t data;
+
+	type = id_type_to_gateway(gw->get_type(gw));
+	if (!type)
+	{
+		return chunk_empty;
+	}
+
+	writer = bio_writer_create(0);
+	writer->write_uint8(writer, type);
+	writer->write_data8(writer, gw->get_encoding(gw));
+	if (nonce.ptr)
+	{
+		writer->write_data(writer, nonce);
+	}
+
+	data = writer->extract_buf(writer);
+	writer->destroy(writer);
+	return data;
+}
+
+/*
+ * Described in header
+ */
+identification_t *redirect_data_parse(chunk_t data, chunk_t *nonce)
+{
+	bio_reader_t *reader;
+	id_type_t id_type;
+	chunk_t gateway;
+	u_int8_t type;
+
+	reader = bio_reader_create(data);
+	if (!reader->read_uint8(reader, &type) ||
+		!reader->read_data8(reader, &gateway))
+	{
+		DBG1(DBG_ENC, "invalid REDIRECT notify data");
+		reader->destroy(reader);
+		return NULL;
+	}
+	id_type = gateway_to_id_type(type);
+	if (!id_type)
+	{
+		DBG1(DBG_ENC, "invalid gateway ID type (%d) in REDIRECT notify", type);
+		reader->destroy(reader);
+		return NULL;
+	}
+	if (nonce)
+	{
+		*nonce = chunk_clone(reader->peek(reader));
+	}
+	reader->destroy(reader);
+	return identification_create_from_encoding(id_type, gateway);
+}
diff --git a/src/libcharon/sa/redirect_manager.h b/src/libcharon/sa/redirect_manager.h
new file mode 100644
index 000000000..e8753265c
--- /dev/null
+++ b/src/libcharon/sa/redirect_manager.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup redirect_manager redirect_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef REDIRECT_MANAGER_H_
+#define REDIRECT_MANAGER_H_
+
+typedef struct redirect_manager_t redirect_manager_t;
+
+#include <sa/redirect_provider.h>
+
+/**
+ * Manages redirect providers.
+ */
+struct redirect_manager_t {
+
+	/**
+	 * Add a redirect provider.
+	 *
+	 * All registered providers are queried until one of them decides to
+	 * redirect a client.
+	 *
+	 * A provider may be called concurrently for different IKE_SAs.
+	 *
+	 * @param provider	provider to register
+	 */
+	void (*add_provider)(redirect_manager_t *this,
+						 redirect_provider_t *provider);
+
+	/**
+	 * Remove a redirect provider.
+	 *
+	 * @param provider	provider to unregister
+	 */
+	void (*remove_provider)(redirect_manager_t *this,
+							redirect_provider_t *provider);
+
+	/**
+	 * Determine whether a client should be redirected upon receipt of the
+	 * IKE_SA_INIT message.
+	 *
+	 * @param ike_sa		IKE_SA for which this is called
+	 * @param gateway[out]	new IKE gateway (IP or FQDN)
+	 * @return				TRUE if client should be redirected, FALSE otherwise
+	 */
+	bool (*redirect_on_init)(redirect_manager_t *this, ike_sa_t *ike_sa,
+							 identification_t **gateway);
+
+	/**
+	 * Determine whether a client should be redirected after the IKE_AUTH has
+	 * been handled.  Should be called after the client is authenticated and
+	 * when the server authenticates itself.
+	 *
+	 * @param ike_sa		IKE_SA for which this is called
+	 * @param gateway[out]	new IKE gateway (IP or FQDN)
+	 * @return				TRUE if client should be redirected, FALSE otherwise
+	 */
+	bool (*redirect_on_auth)(redirect_manager_t *this, ike_sa_t *ike_sa,
+							 identification_t **gateway);
+
+	/**
+	 * Destroy this instance.
+	 */
+	void (*destroy)(redirect_manager_t *this);
+};
+
+/**
+ * Create a redirect manager instance.
+ *
+ * @return					manager instance
+ */
+redirect_manager_t *redirect_manager_create();
+
+/**
+ * Create notification data of a REDIRECT or REDIRECT_FROM payload using the
+ * given gateway identity and optional nonce (only used during IKE_SA_INIT).
+ *
+ * @param gw				gateway identity (IP or FQDN), gets cloned
+ * @param nonce				nonce value, or chunk_empty, gets cloned
+ * @return					notify data, chunk_empty if ID type is not supported
+ */
+chunk_t redirect_data_create(identification_t *gw, chunk_t nonce);
+
+/**
+ * Parse notification data of a REDIRECT or REDIRECTED_FROM notify payload.
+ *
+ * @param data				notification data to parse
+ * @param[out] nonce		nonce data (allocated), if any was provided
+ * @return					gateway identity, NULL if data is invalid
+ */
+identification_t *redirect_data_parse(chunk_t data, chunk_t *nonce);
+
+#endif /** REDIRECT_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/redirect_provider.h b/src/libcharon/sa/redirect_provider.h
new file mode 100644
index 000000000..ef2288ffc
--- /dev/null
+++ b/src/libcharon/sa/redirect_provider.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup redirect_provider redirect_provider
+ * @{ @ingroup sa
+ */
+
+#ifndef REDIRECT_PROVIDER_H_
+#define REDIRECT_PROVIDER_H_
+
+typedef struct redirect_provider_t redirect_provider_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+
+/**
+ * Interface that allows implementations to decide whether a client is
+ * redirected during IKE_SA_INIT or IKE_AUTH using RFC 5685.
+ */
+struct redirect_provider_t {
+
+	/**
+	 * Decide whether a client is redirect directly upon receipt of the
+	 * IKE_SA_INIT message.
+	 *
+	 * @param ike_sa		IKE_SA for which this is called
+	 * @param gateway[out]	new IKE gateway (IP or FQDN)
+	 * @return				TRUE if client should be redirected, FALSE otherwise
+	 */
+	bool (*redirect_on_init)(redirect_provider_t *this, ike_sa_t *ike_sa,
+							 identification_t **gateway);
+
+	/**
+	 * Decide whether a client is redirect after the IKE_AUTH has been
+	 * handled.  This is called after the client is authenticated and when the
+	 * server authenticates itself.
+	 *
+	 * @param ike_sa		IKE_SA for which this is called
+	 * @param gateway[out]	new IKE gateway (IP or FQDN)
+	 * @return				TRUE if client should be redirected, FALSE otherwise
+	 */
+	bool (*redirect_on_auth)(redirect_provider_t *this, ike_sa_t *ike_sa,
+							 identification_t **gateway);
+};
+
+#endif /** REDIRECT_PROVIDER_H_ @}*/
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 5231994c8..0e9cf6e1f 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -16,7 +16,6 @@
 
 #include "shunt_manager.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
 #include <threading/rwlock_condvar.h>
@@ -111,22 +110,22 @@ static bool install_shunt_policy(child_cfg_t *child)
 				continue;
 			}
 			/* install out policy */
-			status |= hydra->kernel_interface->add_policy(
-								hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->add_policy(charon->kernel,
+								host_any, host_any,
 								my_ts, other_ts, POLICY_OUT, policy_type,
 								&sa, child->get_mark(child, FALSE),
 								policy_prio);
 
 			/* install in policy */
-			status |= hydra->kernel_interface->add_policy(
-								hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->add_policy(charon->kernel,
+								host_any, host_any,
 								other_ts, my_ts, POLICY_IN, policy_type,
 								&sa, child->get_mark(child, TRUE),
 								policy_prio);
 
 			/* install forward policy */
-			status |= hydra->kernel_interface->add_policy(
-								hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->add_policy(charon->kernel,
+								host_any, host_any,
 								other_ts, my_ts, POLICY_FWD, policy_type,
 								&sa, child->get_mark(child, TRUE),
 								policy_prio);
@@ -248,22 +247,22 @@ static void uninstall_shunt_policy(child_cfg_t *child)
 				continue;
 			}
 			/* uninstall out policy */
-			status |= hydra->kernel_interface->del_policy(
-							hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->del_policy(charon->kernel,
+							host_any, host_any,
 							my_ts, other_ts, POLICY_OUT, policy_type,
 							&sa, child->get_mark(child, FALSE),
 							policy_prio);
 
 			/* uninstall in policy */
-			status |= hydra->kernel_interface->del_policy(
-							hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->del_policy(charon->kernel,
+							host_any, host_any,
 							other_ts, my_ts, POLICY_IN, policy_type,
 							&sa, child->get_mark(child, TRUE),
 							policy_prio);
 
 			/* uninstall forward policy */
-			status |= hydra->kernel_interface->del_policy(
-							hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->del_policy(charon->kernel,
+							host_any, host_any,
 							other_ts, my_ts, POLICY_FWD, policy_type,
 							&sa, child->get_mark(child, TRUE),
 							policy_prio);
diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c
index b35b58185..405eda66b 100644
--- a/src/libcharon/sa/task.c
+++ b/src/libcharon/sa/task.c
@@ -28,6 +28,8 @@ ENUM(task_type_names, TASK_IKE_INIT, TASK_ISAKMP_CERT_POST,
 	"IKE_REKEY",
 	"IKE_REAUTH",
 	"IKE_REAUTH_COMPLETE",
+	"IKE_REDIRECT",
+	"IKE_VERIFY_PEER_CERT",
 	"IKE_DELETE",
 	"IKE_DPD",
 	"IKE_VENDOR",
diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h
index 7bd3da1fe..31d70fb3b 100644
--- a/src/libcharon/sa/task.h
+++ b/src/libcharon/sa/task.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -57,6 +57,10 @@ enum task_type_t {
 	TASK_IKE_REAUTH,
 	/** completion task for make-before-break IKE_SA re-authentication */
 	TASK_IKE_REAUTH_COMPLETE,
+	/** redirect an active IKE_SA */
+	TASK_IKE_REDIRECT,
+	/** verify a peer's certificate */
+	TASK_IKE_VERIFY_PEER_CERT,
 	/** delete an IKE_SA */
 	TASK_IKE_DELETE,
 	/** liveness check */
@@ -154,6 +158,18 @@ struct task_t {
 	status_t (*process) (task_t *this, message_t *message);
 
 	/**
+	 * Verify a message before processing it (optional to implement by tasks).
+	 *
+	 * @param message		message to verify
+	 * @return
+	 *						- FAILED if verification is not successful, the
+	 *						  message will be silently discarded
+	 *						- DESTROY_ME if IKE_SA has to be destroyed
+	 *						- SUCCESS if verification is successful
+	 */
+	status_t (*pre_process) (task_t *this, message_t *message);
+
+	/**
 	 * Get the type of the task implementation.
 	 */
 	task_type_t (*get_type) (task_t *this);
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 90ad7e40e..85e220775 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -16,7 +16,6 @@
 
 #include "trap_manager.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
@@ -195,8 +194,7 @@ METHOD(trap_manager_t, install, u_int32_t,
 		if (!me || me->is_anyaddr(me))
 		{
 			DESTROY_IF(me);
-			me = hydra->kernel_interface->get_source_addr(
-										hydra->kernel_interface, other, NULL);
+			me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
 			if (!me)
 			{
 				DBG1(DBG_CFG, "installing trap failed, local address unknown");
diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am
index 5fd8ca26d..0589269aa 100644
--- a/src/libcharon/tests/Makefile.am
+++ b/src/libcharon/tests/Makefile.am
@@ -10,7 +10,6 @@ libcharon_tests_SOURCES = \
 
 libcharon_tests_CFLAGS = \
   -I$(top_srcdir)/src/libcharon \
-  -I$(top_srcdir)/src/libhydra \
   -I$(top_srcdir)/src/libstrongswan \
   -I$(top_srcdir)/src/libstrongswan/tests \
   -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
@@ -20,6 +19,5 @@ libcharon_tests_CFLAGS = \
 libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@
 libcharon_tests_LDADD = \
   $(top_builddir)/src/libcharon/libcharon.la \
-  $(top_builddir)/src/libhydra/libhydra.la \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
   $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
index 910aad928..87dea161a 100644
--- a/src/libcharon/tests/Makefile.in
+++ b/src/libcharon/tests/Makefile.in
@@ -109,7 +109,6 @@ am_libcharon_tests_OBJECTS =  \
 libcharon_tests_OBJECTS = $(am_libcharon_tests_OBJECTS)
 libcharon_tests_DEPENDENCIES =  \
 	$(top_builddir)/src/libcharon/libcharon.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -415,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -436,7 +437,6 @@ libcharon_tests_SOURCES = \
 
 libcharon_tests_CFLAGS = \
   -I$(top_srcdir)/src/libcharon \
-  -I$(top_srcdir)/src/libhydra \
   -I$(top_srcdir)/src/libstrongswan \
   -I$(top_srcdir)/src/libstrongswan/tests \
   -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
@@ -446,7 +446,6 @@ libcharon_tests_CFLAGS = \
 libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@
 libcharon_tests_LDADD = \
   $(top_builddir)/src/libcharon/libcharon.la \
-  $(top_builddir)/src/libhydra/libhydra.la \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
   $(top_builddir)/src/libstrongswan/tests/libtest.la
 
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c
index ec96de711..4692c3094 100644
--- a/src/libcharon/tests/libcharon_tests.c
+++ b/src/libcharon/tests/libcharon_tests.c
@@ -14,7 +14,6 @@
  */
 
 #include <test_runner.h>
-#include <hydra.h>
 #include <daemon.h>
 
 /* declare test suite constructors */
@@ -39,7 +38,6 @@ static bool test_runner_init(bool init)
 	{
 		char *plugins, *plugindir;
 
-		libhydra_init();
 		libcharon_init();
 
 		plugins = getenv("TESTS_PLUGINS") ?:
@@ -59,7 +57,6 @@ static bool test_runner_init(bool init)
 		lib->processor->cancel(lib->processor);
 		lib->plugins->unload(lib->plugins);
 		libcharon_deinit();
-		libhydra_deinit();
 	}
 	return TRUE;
 }
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 6a3a4ebd5..0c692542d 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
deleted file mode 100644
index 7b62e9529..000000000
--- a/src/libhydra/Android.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-LOCAL_PATH := $(call my-dir)
-include $(CLEAR_VARS)
-
-# copy-n-paste from Makefile.am
-libhydra_la_SOURCES := \
-hydra.c hydra.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.c kernel/kernel_net.h \
-kernel/kernel_listener.h
-
-LOCAL_SRC_FILES := $(filter %.c,$(libhydra_la_SOURCES))
-
-# adding the plugin source files
-
-LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
-
-LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
-
-# build libhydra ---------------------------------------------------------------
-
-LOCAL_C_INCLUDES += \
-	$(strongswan_PATH)/src/libstrongswan
-
-LOCAL_CFLAGS := $(strongswan_CFLAGS)
-
-LOCAL_MODULE := libhydra
-
-LOCAL_MODULE_TAGS := optional
-
-LOCAL_ARM_MODE := arm
-
-LOCAL_PRELINK_MODULE := false
-
-LOCAL_SHARED_LIBRARIES += libstrongswan
-
-include $(BUILD_SHARED_LIBRARY)
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
deleted file mode 100644
index 9cdbc0147..000000000
--- a/src/libhydra/Makefile.am
+++ /dev/null
@@ -1,60 +0,0 @@
-ipseclib_LTLIBRARIES = libhydra.la
-
-libhydra_la_SOURCES = \
-hydra.c hydra.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.c kernel/kernel_net.h \
-kernel/kernel_listener.h
-
-libhydra_la_LIBADD = \
-  $(top_builddir)/src/libstrongswan/libstrongswan.la
-
-if USE_WINDOWS
-  libhydra_la_LIBADD += -lws2_32
-endif
-
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DPLUGINDIR=\"${plugindir}\"
-
-AM_LDFLAGS = \
-  -no-undefined
-
-EXTRA_DIST = Android.mk
-
-# build optional plugins
-########################
-
-if MONOLITHIC
-SUBDIRS =
-else
-SUBDIRS = .
-endif
-
-if USE_KERNEL_PFKEY
-  SUBDIRS += plugins/kernel_pfkey
-if MONOLITHIC
-  libhydra_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-endif
-endif
-
-if USE_KERNEL_PFROUTE
-  SUBDIRS += plugins/kernel_pfroute
-if MONOLITHIC
-  libhydra_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-endif
-endif
-
-if USE_KERNEL_NETLINK
-  SUBDIRS += plugins/kernel_netlink
-if MONOLITHIC
-  libhydra_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-endif
-endif
-
-if MONOLITHIC
-  SUBDIRS += .
-endif
-SUBDIRS += tests
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
deleted file mode 100644
index 9bb2e839a..000000000
--- a/src/libhydra/Makefile.in
+++ /dev/null
@@ -1,922 +0,0 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-@USE_WINDOWS_TRUE@am__append_1 = -lws2_32
-@USE_KERNEL_PFKEY_TRUE@am__append_2 = plugins/kernel_pfkey
-@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_3 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-@USE_KERNEL_PFROUTE_TRUE@am__append_4 = plugins/kernel_pfroute
-@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_5 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-@USE_KERNEL_NETLINK_TRUE@am__append_6 = plugins/kernel_netlink
-@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_7 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-subdir = src/libhydra
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/split-package-version.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__installdirs = "$(DESTDIR)$(ipseclibdir)"
-LTLIBRARIES = $(ipseclib_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libhydra_la_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__DEPENDENCIES_1) $(am__append_3) $(am__append_5) \
-	$(am__append_7)
-am__dirstamp = $(am__leading_dot)dirstamp
-am_libhydra_la_OBJECTS = hydra.lo kernel/kernel_interface.lo \
-	kernel/kernel_ipsec.lo kernel/kernel_net.lo
-libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
-AM_V_lt = $(am__v_lt_@AM_V@)
-am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 = 
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
-SOURCES = $(libhydra_la_SOURCES)
-DIST_SOURCES = $(libhydra_la_SOURCES)
-RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
-	ctags-recursive dvi-recursive html-recursive info-recursive \
-	install-data-recursive install-dvi-recursive \
-	install-exec-recursive install-html-recursive \
-	install-info-recursive install-pdf-recursive \
-	install-ps-recursive install-recursive installcheck-recursive \
-	installdirs-recursive pdf-recursive ps-recursive \
-	tags-recursive uninstall-recursive
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
-  distclean-recursive maintainer-clean-recursive
-am__recursive_targets = \
-  $(RECURSIVE_TARGETS) \
-  $(RECURSIVE_CLEAN_TARGETS) \
-  $(am__extra_recursive_targets)
-AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
-	distdir
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-DIST_SUBDIRS = . plugins/kernel_pfkey plugins/kernel_pfroute \
-	plugins/kernel_netlink tests
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-am__relativize = \
-  dir0=`pwd`; \
-  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
-  sed_rest='s,^[^/]*/*,,'; \
-  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
-  sed_butlast='s,/*[^/]*$$,,'; \
-  while test -n "$$dir1"; do \
-    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
-    if test "$$first" != "."; then \
-      if test "$$first" = ".."; then \
-        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
-        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
-      else \
-        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
-        if test "$$first2" = "$$first"; then \
-          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
-        else \
-          dir2="../$$dir2"; \
-        fi; \
-        dir0="$$dir0"/"$$first"; \
-      fi; \
-    fi; \
-    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
-  done; \
-  reldir="$$dir2"
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BFDLIB = @BFDLIB@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
-COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-EASY_INSTALL = @EASY_INSTALL@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GEM = @GEM@
-GENHTML = @GENHTML@
-GPERF = @GPERF@
-GPRBUILD = @GPRBUILD@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LCOV = @LCOV@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OPENSSL_LIB = @OPENSSL_LIB@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
-PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
-PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
-PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
-PTHREADLIB = @PTHREADLIB@
-PYTHON = @PYTHON@
-PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-PY_TEST = @PY_TEST@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-UNWINDLIB = @UNWINDLIB@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-aikgen_plugins = @aikgen_plugins@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-charon_natt_port = @charon_natt_port@
-charon_plugins = @charon_plugins@
-charon_udp_port = @charon_udp_port@
-clearsilver_LIBS = @clearsilver_LIBS@
-cmd_plugins = @cmd_plugins@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-dev_headers = @dev_headers@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-fips_mode = @fips_mode@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsec_script = @ipsec_script@
-ipsec_script_upper = @ipsec_script_upper@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-json_CFLAGS = @json_CFLAGS@
-json_LIBS = @json_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libiptc_CFLAGS = @libiptc_CFLAGS@
-libiptc_LIBS = @libiptc_LIBS@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-nm_plugins = @nm_plugins@
-oldincludedir = @oldincludedir@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-strongswan_options = @strongswan_options@
-swanctldir = @swanctldir@
-sysconfdir = @sysconfdir@
-systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
-systemd_daemon_LIBS = @systemd_daemon_LIBS@
-systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
-systemd_journal_LIBS = @systemd_journal_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-t_plugins = @t_plugins@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-ipseclib_LTLIBRARIES = libhydra.la
-libhydra_la_SOURCES = \
-hydra.c hydra.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.c kernel/kernel_net.h \
-kernel/kernel_listener.h
-
-libhydra_la_LIBADD =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__append_1) $(am__append_3) $(am__append_5) \
-	$(am__append_7)
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DPLUGINDIR=\"${plugindir}\"
-
-AM_LDFLAGS = \
-  -no-undefined
-
-EXTRA_DIST = Android.mk
-@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_2) $(am__append_4) \
-@MONOLITHIC_FALSE@	$(am__append_6) tests
-
-# build optional plugins
-########################
-@MONOLITHIC_TRUE@SUBDIRS = $(am__append_2) $(am__append_4) \
-@MONOLITHIC_TRUE@	$(am__append_6) . tests
-all: all-recursive
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
-	}
-
-uninstall-ipseclibLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipseclibdir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipseclibdir)/$$f"; \
-	done
-
-clean-ipseclibLTLIBRARIES:
-	-test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES)
-	@list='$(ipseclib_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-kernel/$(am__dirstamp):
-	@$(MKDIR_P) kernel
-	@: > kernel/$(am__dirstamp)
-kernel/$(DEPDIR)/$(am__dirstamp):
-	@$(MKDIR_P) kernel/$(DEPDIR)
-	@: > kernel/$(DEPDIR)/$(am__dirstamp)
-kernel/kernel_interface.lo: kernel/$(am__dirstamp) \
-	kernel/$(DEPDIR)/$(am__dirstamp)
-kernel/kernel_ipsec.lo: kernel/$(am__dirstamp) \
-	kernel/$(DEPDIR)/$(am__dirstamp)
-kernel/kernel_net.lo: kernel/$(am__dirstamp) \
-	kernel/$(DEPDIR)/$(am__dirstamp)
-
-libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-	-rm -f kernel/*.$(OBJEXT)
-	-rm -f kernel/*.lo
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_interface.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_net.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-	-rm -rf kernel/.libs kernel/_libs
-
-# This directory's subdirectories are mostly independent; you can cd
-# into them and run 'make' without going through this Makefile.
-# To change the values of 'make' variables: instead of editing Makefiles,
-# (1) if the variable is set in 'config.status', edit 'config.status'
-#     (which will cause the Makefiles to be regenerated when you run 'make');
-# (2) otherwise, pass the desired values on the 'make' command line.
-$(am__recursive_targets):
-	@fail=; \
-	if $(am__make_keepgoing); then \
-	  failcom='fail=yes'; \
-	else \
-	  failcom='exit 1'; \
-	fi; \
-	dot_seen=no; \
-	target=`echo $@ | sed s/-recursive//`; \
-	case "$@" in \
-	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
-	  *) list='$(SUBDIRS)' ;; \
-	esac; \
-	for subdir in $$list; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    dot_seen=yes; \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done; \
-	if test "$$dot_seen" = "no"; then \
-	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
-	fi; test -z "$$fail"
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-recursive
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
-	  include_option=--etags-include; \
-	  empty_fix=.; \
-	else \
-	  include_option=--include; \
-	  empty_fix=; \
-	fi; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test ! -f $$subdir/TAGS || \
-	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
-	  fi; \
-	done; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-recursive
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-recursive
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    $(am__make_dryrun) \
-	      || test -d "$(distdir)/$$subdir" \
-	      || $(MKDIR_P) "$(distdir)/$$subdir" \
-	      || exit 1; \
-	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
-	    $(am__relativize); \
-	    new_distdir=$$reldir; \
-	    dir1=$$subdir; dir2="$(top_distdir)"; \
-	    $(am__relativize); \
-	    new_top_distdir=$$reldir; \
-	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
-	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
-	    ($(am__cd) $$subdir && \
-	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$new_top_distdir" \
-	        distdir="$$new_distdir" \
-		am__remove_distdir=: \
-		am__skip_length_check=: \
-		am__skip_mode_fix=: \
-	        distdir) \
-	      || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-recursive
-all-am: Makefile $(LTLIBRARIES)
-installdirs: installdirs-recursive
-installdirs-am:
-	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-recursive
-install-exec: install-exec-recursive
-install-data: install-data-recursive
-uninstall: uninstall-recursive
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-recursive
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-	-rm -f kernel/$(DEPDIR)/$(am__dirstamp)
-	-rm -f kernel/$(am__dirstamp)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-recursive
-
-clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
-	mostlyclean-am
-
-distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) kernel/$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-recursive
-
-dvi-am:
-
-html: html-recursive
-
-html-am:
-
-info: info-recursive
-
-info-am:
-
-install-data-am: install-ipseclibLTLIBRARIES
-
-install-dvi: install-dvi-recursive
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-recursive
-
-install-html-am:
-
-install-info: install-info-recursive
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-recursive
-
-install-pdf-am:
-
-install-ps: install-ps-recursive
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) kernel/$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-recursive
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-recursive
-
-pdf-am:
-
-ps: ps-recursive
-
-ps-am:
-
-uninstall-am: uninstall-ipseclibLTLIBRARIES
-
-.MAKE: $(am__recursive_targets) install-am install-strip
-
-.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
-	check-am clean clean-generic clean-ipseclibLTLIBRARIES \
-	clean-libtool cscopelist-am ctags ctags-am distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am \
-	install-ipseclibLTLIBRARIES install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs installdirs-am \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-ipseclibLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
deleted file mode 100644
index 47ffb59c6..000000000
--- a/src/libhydra/hydra.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "hydra.h"
-
-#include <utils/debug.h>
-
-typedef struct private_hydra_t private_hydra_t;
-
-/**
- * Private additions to hydra_t.
- */
-struct private_hydra_t {
-
-	/**
-	 * Public members of hydra_t.
-	 */
-	hydra_t public;
-
-	/**
-	 * Integrity check failed?
-	 */
-	bool integrity_failed;
-
-	/**
-	 * Number of times we have been initialized
-	 */
-	refcount_t ref;
-};
-
-/**
- * Single instance of hydra_t.
- */
-hydra_t *hydra = NULL;
-
-/**
- * Described in header.
- */
-void libhydra_deinit()
-{
-	private_hydra_t *this = (private_hydra_t*)hydra;
-
-	if (!this || !ref_put(&this->ref))
-	{	/* have more users */
-		return;
-	}
-
-	this->public.kernel_interface->destroy(this->public.kernel_interface);
-	free(this);
-	hydra = NULL;
-}
-
-/**
- * Described in header.
- */
-bool libhydra_init()
-{
-	private_hydra_t *this;
-
-	if (hydra)
-	{	/* already initialized, increase refcount */
-		this = (private_hydra_t*)hydra;
-		ref_get(&this->ref);
-		return !this->integrity_failed;
-	}
-
-	INIT(this,
-		.ref = 1,
-	);
-	hydra = &this->public;
-
-	this->public.kernel_interface = kernel_interface_create();
-
-	if (lib->integrity &&
-		!lib->integrity->check(lib->integrity, "libhydra", libhydra_init))
-	{
-		DBG1(DBG_LIB, "integrity check of libhydra failed");
-		this->integrity_failed = TRUE;
-	}
-	return !this->integrity_failed;
-}
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
deleted file mode 100644
index b23a30584..000000000
--- a/src/libhydra/hydra.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup libhydra libhydra
- *
- * @defgroup hkernel kernel
- * @ingroup libhydra
- *
- * @defgroup hplugins plugins
- * @ingroup libhydra
- *
- * @addtogroup libhydra
- * @{
- */
-
-#ifndef HYDRA_H_
-#define HYDRA_H_
-
-typedef struct hydra_t hydra_t;
-
-#include <kernel/kernel_interface.h>
-
-#include <library.h>
-
-/**
- * IKE Daemon support object.
- */
-struct hydra_t {
-
-	/**
-	 * kernel interface to communicate with kernel
-	 */
-	kernel_interface_t *kernel_interface;
-};
-
-/**
- * The single instance of hydra_t.
- *
- * Set between calls to libhydra_init() and libhydra_deinit() calls.
- */
-extern hydra_t *hydra;
-
-/**
- * Initialize libhydra.
- *
- * libhydra_init() may be called multiple times in a single process, but each
- * caller must call libhydra_deinit() for each call to libhydra_init().
- *
- * @return				FALSE if integrity check failed
- */
-bool libhydra_init();
-
-/**
- * Deinitialize libhydra.
- */
-void libhydra_deinit();
-
-#endif /** HYDRA_H_ @}*/
diff --git a/src/libhydra/tests/Makefile.am b/src/libhydra/tests/Makefile.am
deleted file mode 100644
index 5acd5c28c..000000000
--- a/src/libhydra/tests/Makefile.am
+++ /dev/null
@@ -1,18 +0,0 @@
-TESTS = hydra_tests
-
-check_PROGRAMS = $(TESTS)
-
-hydra_tests_SOURCES = \
-  hydra_tests.h hydra_tests.c
-
-hydra_tests_CFLAGS = \
-  -I$(top_srcdir)/src/libhydra \
-  -I$(top_srcdir)/src/libstrongswan \
-  -I$(top_srcdir)/src/libstrongswan/tests \
-  @COVERAGE_CFLAGS@
-
-hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@
-hydra_tests_LDADD = \
-  $(top_builddir)/src/libhydra/libhydra.la \
-  $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libhydra/tests/hydra_tests.c b/src/libhydra/tests/hydra_tests.c
deleted file mode 100644
index 0d6387be7..000000000
--- a/src/libhydra/tests/hydra_tests.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2014 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <test_runner.h>
-#include <hydra.h>
-
-/* declare test suite constructors */
-#define TEST_SUITE(x) test_suite_t* x();
-#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
-#include "hydra_tests.h"
-#undef TEST_SUITE
-#undef TEST_SUITE_DEPEND
-
-static test_configuration_t tests[] = {
-#define TEST_SUITE(x) \
-	{ .suite = x, },
-#define TEST_SUITE_DEPEND(x, type, ...) \
-	{ .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) },
-#include "hydra_tests.h"
-	{ .suite = NULL, }
-};
-
-static bool test_runner_init(bool init)
-{
-	if (init)
-	{
-		libhydra_init();
-	}
-	else
-	{
-		lib->processor->set_threads(lib->processor, 0);
-		lib->processor->cancel(lib->processor);
-		libhydra_deinit();
-	}
-	return TRUE;
-}
-
-int main(int argc, char *argv[])
-{
-	return test_runner_run("libhydra", tests, test_runner_init);
-}
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index ed2934cfb..200f9590e 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -586,6 +586,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/imc/imc_os_info.c b/src/libimcv/imc/imc_os_info.c
index 0a094eb23..55e152af5 100644
--- a/src/libimcv/imc/imc_os_info.c
+++ b/src/libimcv/imc/imc_os_info.c
@@ -383,6 +383,7 @@ static bool extract_platform_info(os_type_t *type, chunk_t *name,
 	FILE *file;
 	u_char buf[BUF_LEN], *pos = buf;
 	int len = BUF_LEN - 1;
+	long file_len;
 	os_type_t os_type = OS_TYPE_UNKNOWN;
 	chunk_t os_name = chunk_empty;
 	chunk_t os_version = chunk_empty;
@@ -425,15 +426,22 @@ static bool extract_platform_info(os_type_t *type, chunk_t *name,
 
 		/* read release file into buffer */
 		fseek(file, 0, SEEK_END);
-		len = min(ftell(file), len);
+		file_len = ftell(file);
+		if (file_len < 0)
+		{
+			DBG1(DBG_IMC, "failed to determine size of \"%s\"", releases[i]);
+			fclose(file);
+			return FALSE;
+		}
+		len = min(file_len, len);
 		rewind(file);
-		buf[len] = '\0';
 		if (fread(buf, 1, len, file) != len)
 		{
 			DBG1(DBG_IMC, "failed to read file \"%s\"", releases[i]);
 			fclose(file);
 			return FALSE;
 		}
+		buf[len] = '\0';
 		fclose(file);
 
 		DBG1(DBG_IMC, "processing \"%s\" file", releases[i]);
diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in
index 8ad56181e..6d9533d21 100644
--- a/src/libimcv/plugins/imc_attestation/Makefile.in
+++ b/src/libimcv/plugins/imc_attestation/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in
index da7523c33..0d603c9e7 100644
--- a/src/libimcv/plugins/imc_hcd/Makefile.in
+++ b/src/libimcv/plugins/imc_hcd/Makefile.in
@@ -411,6 +411,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 3b7538688..d1787da3c 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -411,6 +411,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 7b696896f..2f03a7c70 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -412,6 +412,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in
index 2847f09b4..981f86401 100644
--- a/src/libimcv/plugins/imc_swid/Makefile.in
+++ b/src/libimcv/plugins/imc_swid/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 2048caa4d..7bf459044 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -411,6 +411,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in
index 09a0ab0ce..d3f790091 100644
--- a/src/libimcv/plugins/imv_attestation/Makefile.in
+++ b/src/libimcv/plugins/imv_attestation/Makefile.in
@@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
index 28ebd0069..91c12f33b 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
@@ -603,8 +603,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 							if (!comp)
 							{
 								comp_name->log(comp_name, "unregistered ");
-								comp_name->destroy(comp_name);
 							}
+							comp_name->destroy(comp_name);
 						}
 
 						/* do TPM IMA measurements */
@@ -620,8 +620,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 							if (!comp)
 							{
 								comp_name->log(comp_name, "unregistered ");
-								comp_name->destroy(comp_name);
 							}
+							comp_name->destroy(comp_name);
 						}
 
 						/* do TPM TRUSTED BOOT measurements */
@@ -637,8 +637,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 							if (!comp)
 							{
 								comp_name->log(comp_name, "unregistered ");
-								comp_name->destroy(comp_name);
 							}
+							comp_name->destroy(comp_name);
 						}
 						attestation_state->set_handshake_state(attestation_state,
 											IMV_ATTESTATION_STATE_NONCE_REQ);
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_state.h b/src/libimcv/plugins/imv_attestation/imv_attestation_state.h
index 39a8eee9c..d9bb47c31 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_state.h
@@ -115,7 +115,7 @@ struct imv_attestation_state_t {
 	/**
 	 * Create and add an entry to the list of Functional Components
 	 *
-	 * @param name				Component Functional Name
+	 * @param name				Component Functional Name (cloned)
 	 * @param depth				Sub-component Depth
 	 * @param pts_db			PTS measurement database
 	 * @return					created functional component instance or NULL
diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in
index ea017646d..c179a94e4 100644
--- a/src/libimcv/plugins/imv_hcd/Makefile.in
+++ b/src/libimcv/plugins/imv_hcd/Makefile.in
@@ -411,6 +411,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index ec3488992..c6f925aa0 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 08abbf596..0eee4d1e0 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in
index 936bee86e..ce246da57 100644
--- a/src/libimcv/plugins/imv_swid/Makefile.in
+++ b/src/libimcv/plugins/imv_swid/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_swid/imv_swid_agent.c b/src/libimcv/plugins/imv_swid/imv_swid_agent.c
index 6d327830f..c057e7ed1 100644
--- a/src/libimcv/plugins/imv_swid/imv_swid_agent.c
+++ b/src/libimcv/plugins/imv_swid/imv_swid_agent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -213,7 +213,8 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
 				if (request_id == swid_state->get_request_id(swid_state))
 				{
 					swid_state->set_swid_inventory(swid_state, inventory);
-					swid_state->set_count(swid_state, tag_id_count, 0);
+					swid_state->set_count(swid_state, tag_id_count, 0,
+										  in_msg->get_src_id(in_msg));
 				}
 				else
 				{
@@ -251,7 +252,8 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
 
 				if (request_id == swid_state->get_request_id(swid_state))
 				{
-					swid_state->set_count(swid_state, 0, tag_count);
+					swid_state->set_count(swid_state, 0, tag_count,
+										  in_msg->get_src_id(in_msg));
 
 					if (this->rest_api)
 					{
@@ -387,7 +389,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	}
 
 	/* Create an empty out message - we might need it */
-	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+	out_msg = imv_msg_create(this->agent, state, id, imv_id,
+							 swid_state->get_imc_id(swid_state),
 							 msg_types[0]);
 
 	if (!imcv_db)
diff --git a/src/libimcv/plugins/imv_swid/imv_swid_state.c b/src/libimcv/plugins/imv_swid/imv_swid_state.c
index 04364b030..fb9493a83 100644
--- a/src/libimcv/plugins/imv_swid/imv_swid_state.c
+++ b/src/libimcv/plugins/imv_swid/imv_swid_state.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -123,6 +123,11 @@ struct private_imv_swid_state_t {
 	uint32_t missing;
 
 	/**
+	 * SWID IMC ID
+	 */
+	TNC_UInt32 imc_id;
+
+	/**
 	 * Top level JSON object
 	 */
 	json_object *jobj;
@@ -326,10 +331,12 @@ METHOD(imv_swid_state_t, get_missing, uint32_t,
 }
 
 METHOD(imv_swid_state_t, set_count, void,
-	private_imv_swid_state_t *this, int tag_id_count, int tag_count)
+	private_imv_swid_state_t *this, int tag_id_count, int tag_count,
+	TNC_UInt32 imc_id)
 {
 	this->tag_id_count += tag_id_count;
 	this->tag_count += tag_count;
+	this->imc_id = imc_id;
 }
 
 METHOD(imv_swid_state_t, get_count, void,
@@ -345,6 +352,12 @@ METHOD(imv_swid_state_t, get_count, void,
 	}
 }
 
+METHOD(imv_swid_state_t, get_imc_id, TNC_UInt32,
+	private_imv_swid_state_t *this)
+{
+	return this->imc_id;
+}
+
 /**
  * Described in header.
  */
@@ -384,12 +397,14 @@ imv_state_t *imv_swid_state_create(TNC_ConnectionID connection_id)
 			.get_missing = _get_missing,
 			.set_count = _set_count,
 			.get_count = _get_count,
+			.get_imc_id = _get_imc_id,
 		},
 		.state = TNC_CONNECTION_STATE_CREATE,
 		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.connection_id = connection_id,
 		.contracts = seg_contract_manager_create(),
+		.imc_id = TNC_IMCID_ANY,
 		.jobj = json_object_new_object(),
 		.jarray = json_object_new_array(),
 	);
diff --git a/src/libimcv/plugins/imv_swid/imv_swid_state.h b/src/libimcv/plugins/imv_swid/imv_swid_state.h
index af5d95c9d..5fe99ecdc 100644
--- a/src/libimcv/plugins/imv_swid/imv_swid_state.h
+++ b/src/libimcv/plugins/imv_swid/imv_swid_state.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -81,19 +81,19 @@ struct imv_swid_state_t {
 	 */
 	uint32_t (*get_request_id)(imv_swid_state_t *this);
 
-    /**
-     * Set or extend the SWID Tag ID inventory in the state
-     *
-     * @param inventory			SWID Tags ID inventory to be added
-     */
-    void (*set_swid_inventory)(imv_swid_state_t *this, swid_inventory_t *inventory);
+	/**
+	 * Set or extend the SWID Tag ID inventory in the state
+	 *
+	 * @param inventory			SWID Tags ID inventory to be added
+	 */
+	void (*set_swid_inventory)(imv_swid_state_t *this, swid_inventory_t *inventory);
 
-   /**
-     * Get the encoding of the complete SWID Tag ID inventory
-     *
-     * @return			       SWID Tags ID inventory as a JSON array
-     */
-    json_object* (*get_swid_inventory)(imv_swid_state_t *this);
+	/**
+	 * Get the encoding of the complete SWID Tag ID inventory
+	 *
+	 * @return			       SWID Tags ID inventory as a JSON array
+	 */
+	json_object* (*get_swid_inventory)(imv_swid_state_t *this);
 
 	/**
 	 * Set the number of still missing SWID Tags or Tag IDs
@@ -114,8 +114,10 @@ struct imv_swid_state_t {
 	 *
 	 * @param tag_id_count		Number of received SWID Tag IDs
 	 * @param tag_count			Number of received SWID Tags
+	 * @param imc_id			SWID IMC ID
 	 */
-	void (*set_count)(imv_swid_state_t *this, int tag_id_count, int tag_count);
+	void (*set_count)(imv_swid_state_t *this, int tag_id_count, int tag_count,
+					  TNC_UInt32 imc_id);
 
 	/**
 	 * Set [or with multiple attributes increment] SWID Tag [ID] counters
@@ -124,6 +126,13 @@ struct imv_swid_state_t {
 	 * @param tag_count			Number of received SWID Tags
 	 */
 	void (*get_count)(imv_swid_state_t *this, int *tag_id_count, int *tag_count);
+
+	/**
+	 * Get SWID IMC ID
+	 *
+	 * @return					SWID IMC ID
+	 */
+	TNC_UInt32 (*get_imc_id)(imv_swid_state_t *this);
 };
 
 /**
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 8e0e22353..19cef2073 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -412,6 +412,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/pts/components/pts_component_manager.h b/src/libimcv/pts/components/pts_component_manager.h
index 61055ec74..00f8765ca 100644
--- a/src/libimcv/pts/components/pts_component_manager.h
+++ b/src/libimcv/pts/components/pts_component_manager.h
@@ -45,7 +45,7 @@ struct pts_component_manager_t {
 	 * @param comp_func_names		Vendor-specific Component Functional names
 	 * @param qualifier_type_size	Vendor-specific Qualifier Type size
 	 * @param qualifier_flag_names	Vendor-specific Qualifier Flag names
-	 * @param qualifier_type_names	Vendor-specific Qualifier Type names 
+	 * @param qualifier_type_names	Vendor-specific Qualifier Type names
 	 */
 	void (*add_vendor)(pts_component_manager_t *this, pen_t vendor_id,
 					   enum_name_t *comp_func_names,
@@ -106,7 +106,7 @@ struct pts_component_manager_t {
 	 * @param pts_db				PTS measurement database
 	 * @return						Component object if supported, NULL else
 	 */
-	pts_component_t* (*create)(pts_component_manager_t *this, 
+	pts_component_t* (*create)(pts_component_manager_t *this,
 							   pts_comp_func_name_t *name, u_int32_t depth,
 							   pts_database_t *pts_db);
 
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index aa793441b..a08d8c51f 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -453,6 +453,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libipsec/ipsec_policy_mgr.c b/src/libipsec/ipsec_policy_mgr.c
index e2eaba014..3f312ffd2 100644
--- a/src/libipsec/ipsec_policy_mgr.c
+++ b/src/libipsec/ipsec_policy_mgr.c
@@ -175,15 +175,16 @@ METHOD(ipsec_policy_mgr_t, add_policy, status_t,
 }
 
 METHOD(ipsec_policy_mgr_t, del_policy, status_t,
-	private_ipsec_policy_mgr_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
-	mark_t mark, policy_priority_t policy_priority)
+	private_ipsec_policy_mgr_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
+	policy_priority_t policy_priority)
 {
 	enumerator_t *enumerator;
 	ipsec_policy_entry_t *current, *found = NULL;
 	u_int32_t priority;
 
-	if (direction == POLICY_FWD)
+	if (type != POLICY_IPSEC || direction == POLICY_FWD)
 	{	/* we ignore these policies as we currently have no use for them */
 		return SUCCESS;
 	}
@@ -198,7 +199,7 @@ METHOD(ipsec_policy_mgr_t, del_policy, status_t,
 	{
 		if (current->priority == priority &&
 			current->policy->match(current->policy, src_ts, dst_ts, direction,
-								   reqid, mark, policy_priority))
+								   sa->reqid, mark, policy_priority))
 		{
 			this->policies->remove_at(this->policies, enumerator);
 			found = current;
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h
index 30406bdb7..0ea797e7a 100644
--- a/src/libipsec/ipsec_policy_mgr.h
+++ b/src/libipsec/ipsec_policy_mgr.h
@@ -71,18 +71,21 @@ struct ipsec_policy_mgr_t {
 	/**
 	 * Remove a policy
 	 *
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
-	 * @param reqid			unique ID of the associated SA
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
+	 * @param sa			details about the SA(s) tied to this policy
 	 * @param mark			optional mark
 	 * @param priority		priority of the policy
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy)(ipsec_policy_mgr_t *this,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, u_int32_t reqid, mark_t mark,
+						   host_t *src, host_t *dst, traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts, policy_dir_t direction,
+						   policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
 						   policy_priority_t priority);
 
 	/**
diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in
index 9a9bb3142..ebf6e7e93 100644
--- a/src/libipsec/tests/Makefile.in
+++ b/src/libipsec/tests/Makefile.in
@@ -409,6 +409,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index 96d1ae4aa..c4eb8b4a9 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 9bca3bd29..9b03099da 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -409,6 +409,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libsimaka/Makefile.am b/src/libsimaka/Makefile.am
index 9997ece08..dd31689c6 100644
--- a/src/libsimaka/Makefile.am
+++ b/src/libsimaka/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_LDFLAGS = \
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index 637137cb0..e813eb085 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -412,6 +412,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -427,7 +429,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_LDFLAGS = \
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index db3da8e15..da5f34e87 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -21,7 +21,8 @@ credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
-credentials/certificates/ocsp_response.c \
+credentials/certificates/ocsp_response.c credentials/certificates/x509.c \
+credentials/certificates/certificate_printer.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
 credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index ed3b85dd4..0bac61b44 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -19,7 +19,8 @@ credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
-credentials/certificates/ocsp_response.c \
+credentials/certificates/ocsp_response.c credentials/certificates/x509.c \
+credentials/certificates/certificate_printer.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
 credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
@@ -83,6 +84,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \
 credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
+credentials/certificates/certificate_printer.h \
 credentials/containers/container.h credentials/containers/pkcs7.h \
 credentials/containers/pkcs12.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 284960f5c..d88c96f03 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -322,6 +322,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
+	credentials/certificates/x509.c \
+	credentials/certificates/certificate_printer.c \
 	credentials/containers/container.c \
 	credentials/containers/pkcs12.c \
 	credentials/credential_manager.c \
@@ -407,6 +409,8 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
 	credentials/certificates/certificate.lo \
 	credentials/certificates/crl.lo \
 	credentials/certificates/ocsp_response.lo \
+	credentials/certificates/x509.lo \
+	credentials/certificates/certificate_printer.lo \
 	credentials/containers/container.lo \
 	credentials/containers/pkcs12.lo \
 	credentials/credential_manager.lo \
@@ -539,6 +543,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	credentials/certificates/ocsp_request.h \
 	credentials/certificates/ocsp_response.h \
 	credentials/certificates/pgp_certificate.h \
+	credentials/certificates/certificate_printer.h \
 	credentials/containers/container.h \
 	credentials/containers/pkcs7.h credentials/containers/pkcs12.h \
 	credentials/credential_manager.h \
@@ -865,6 +870,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -900,6 +907,8 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
+	credentials/certificates/x509.c \
+	credentials/certificates/certificate_printer.c \
 	credentials/containers/container.c \
 	credentials/containers/pkcs12.c \
 	credentials/credential_manager.c \
@@ -961,6 +970,7 @@ settings/settings_types.h
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/ocsp_response.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \
+@USE_DEV_HEADERS_TRUE@credentials/certificates/certificate_printer.h \
 @USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \
 @USE_DEV_HEADERS_TRUE@credentials/containers/pkcs12.h \
 @USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
@@ -1341,6 +1351,12 @@ credentials/certificates/crl.lo:  \
 credentials/certificates/ocsp_response.lo:  \
 	credentials/certificates/$(am__dirstamp) \
 	credentials/certificates/$(DEPDIR)/$(am__dirstamp)
+credentials/certificates/x509.lo:  \
+	credentials/certificates/$(am__dirstamp) \
+	credentials/certificates/$(DEPDIR)/$(am__dirstamp)
+credentials/certificates/certificate_printer.lo:  \
+	credentials/certificates/$(am__dirstamp) \
+	credentials/certificates/$(DEPDIR)/$(am__dirstamp)
 credentials/containers/$(am__dirstamp):
 	@$(MKDIR_P) credentials/containers
 	@: > credentials/containers/$(am__dirstamp)
@@ -1735,8 +1751,10 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/$(DEPDIR)/credential_factory.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/$(DEPDIR)/credential_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/certificate.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/certificate_printer.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/crl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/ocsp_response.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/x509.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/container.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/pkcs12.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/private_key.Plo@am__quote@
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 7a48292af..8ac005610 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -26,6 +26,7 @@
 #include <stdarg.h>
 
 #include <library.h>
+#include <asn1/asn1.h>
 
 /**
  * Definition of some primitive ASN1 types
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index a088b0527..ed953d482 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -28,8 +28,8 @@ const oid_t oid_names[] = {
  {                0x01,         0, 1,  8, "pilotAttributeType"             }, /*  15 */
  {                  0x01,      17, 0,  9, "UID"                            }, /*  16 */
  {                  0x19,       0, 0,  9, "DC"                             }, /*  17 */
- {0x55,                        65, 1,  0, "X.500"                          }, /*  18 */
- {  0x04,                      37, 1,  1, "X.509"                          }, /*  19 */
+ {0x55,                        66, 1,  0, "X.500"                          }, /*  18 */
+ {  0x04,                      38, 1,  1, "X.509"                          }, /*  19 */
  {    0x03,                    21, 0,  2, "CN"                             }, /*  20 */
  {    0x04,                    22, 0,  2, "S"                              }, /*  21 */
  {    0x05,                    23, 0,  2, "SN"                             }, /*  22 */
@@ -46,446 +46,447 @@ const oid_t oid_names[] = {
  {    0x2B,                    34, 0,  2, "I"                              }, /*  33 */
  {    0x2D,                    35, 0,  2, "ID"                             }, /*  34 */
  {    0x2E,                    36, 0,  2, "dnQualifier"                    }, /*  35 */
- {    0x48,                     0, 0,  2, "role"                           }, /*  36 */
- {  0x1D,                       0, 1,  1, "id-ce"                          }, /*  37 */
- {    0x09,                    39, 0,  2, "subjectDirectoryAttrs"          }, /*  38 */
- {    0x0E,                    40, 0,  2, "subjectKeyIdentifier"           }, /*  39 */
- {    0x0F,                    41, 0,  2, "keyUsage"                       }, /*  40 */
- {    0x10,                    42, 0,  2, "privateKeyUsagePeriod"          }, /*  41 */
- {    0x11,                    43, 0,  2, "subjectAltName"                 }, /*  42 */
- {    0x12,                    44, 0,  2, "issuerAltName"                  }, /*  43 */
- {    0x13,                    45, 0,  2, "basicConstraints"               }, /*  44 */
- {    0x14,                    46, 0,  2, "crlNumber"                      }, /*  45 */
- {    0x15,                    47, 0,  2, "reasonCode"                     }, /*  46 */
- {    0x17,                    48, 0,  2, "holdInstructionCode"            }, /*  47 */
- {    0x18,                    49, 0,  2, "invalidityDate"                 }, /*  48 */
- {    0x1B,                    50, 0,  2, "deltaCrlIndicator"              }, /*  49 */
- {    0x1C,                    51, 0,  2, "issuingDistributionPoint"       }, /*  50 */
- {    0x1D,                    52, 0,  2, "certificateIssuer"              }, /*  51 */
- {    0x1E,                    53, 0,  2, "nameConstraints"                }, /*  52 */
- {    0x1F,                    54, 0,  2, "crlDistributionPoints"          }, /*  53 */
- {    0x20,                    56, 1,  2, "certificatePolicies"            }, /*  54 */
- {      0x00,                   0, 0,  3, "anyPolicy"                      }, /*  55 */
- {    0x21,                    57, 0,  2, "policyMappings"                 }, /*  56 */
- {    0x23,                    58, 0,  2, "authorityKeyIdentifier"         }, /*  57 */
- {    0x24,                    59, 0,  2, "policyConstraints"              }, /*  58 */
- {    0x25,                    61, 1,  2, "extendedKeyUsage"               }, /*  59 */
- {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"            }, /*  60 */
- {    0x2E,                    62, 0,  2, "freshestCRL"                    }, /*  61 */
- {    0x36,                    63, 0,  2, "inhibitAnyPolicy"               }, /*  62 */
- {    0x37,                    64, 0,  2, "targetInformation"              }, /*  63 */
- {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  64 */
- {0x2A,                       189, 1,  0, ""                               }, /*  65 */
- {  0x83,                      78, 1,  1, ""                               }, /*  66 */
- {    0x08,                     0, 1,  2, "jp"                             }, /*  67 */
- {      0x8C,                   0, 1,  3, ""                               }, /*  68 */
- {        0x9A,                 0, 1,  4, ""                               }, /*  69 */
- {          0x4B,               0, 1,  5, ""                               }, /*  70 */
- {            0x3D,             0, 1,  6, ""                               }, /*  71 */
- {              0x01,           0, 1,  7, "security"                       }, /*  72 */
- {                0x01,         0, 1,  8, "algorithm"                      }, /*  73 */
- {                  0x01,       0, 1,  9, "symm-encryption-alg"            }, /*  74 */
- {                    0x02,    76, 0, 10, "camellia128-cbc"                }, /*  75 */
- {                    0x03,    77, 0, 10, "camellia192-cbc"                }, /*  76 */
- {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  77 */
- {  0x86,                       0, 1,  1, ""                               }, /*  78 */
- {    0x48,                     0, 1,  2, "us"                             }, /*  79 */
- {      0x86,                 148, 1,  3, ""                               }, /*  80 */
- {        0xF6,                86, 1,  4, ""                               }, /*  81 */
- {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  82 */
- {            0x07,             0, 1,  6, "Entrust"                        }, /*  83 */
- {              0x41,           0, 1,  7, "nsn-ce"                         }, /*  84 */
- {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  85 */
- {        0xF7,                 0, 1,  4, ""                               }, /*  86 */
- {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  87 */
- {            0x01,           143, 1,  6, "PKCS"                           }, /*  88 */
- {              0x01,         101, 1,  7, "PKCS-1"                         }, /*  89 */
- {                0x01,        91, 0,  8, "rsaEncryption"                  }, /*  90 */
- {                0x02,        92, 0,  8, "md2WithRSAEncryption"           }, /*  91 */
- {                0x04,        93, 0,  8, "md5WithRSAEncryption"           }, /*  92 */
- {                0x05,        94, 0,  8, "sha-1WithRSAEncryption"         }, /*  93 */
- {                0x07,        95, 0,  8, "id-RSAES-OAEP"                  }, /*  94 */
- {                0x08,        96, 0,  8, "id-mgf1"                        }, /*  95 */
- {                0x09,        97, 0,  8, "id-pSpecified"                  }, /*  96 */
- {                0x0B,        98, 0,  8, "sha256WithRSAEncryption"        }, /*  97 */
- {                0x0C,        99, 0,  8, "sha384WithRSAEncryption"        }, /*  98 */
- {                0x0D,       100, 0,  8, "sha512WithRSAEncryption"        }, /*  99 */
- {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /* 100 */
- {              0x05,         106, 1,  7, "PKCS-5"                         }, /* 101 */
- {                0x03,       103, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 102 */
- {                0x0A,       104, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 103 */
- {                0x0C,       105, 0,  8, "id-PBKDF2"                      }, /* 104 */
- {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 105 */
- {              0x07,         113, 1,  7, "PKCS-7"                         }, /* 106 */
- {                0x01,       108, 0,  8, "data"                           }, /* 107 */
- {                0x02,       109, 0,  8, "signedData"                     }, /* 108 */
- {                0x03,       110, 0,  8, "envelopedData"                  }, /* 109 */
- {                0x04,       111, 0,  8, "signedAndEnvelopedData"         }, /* 110 */
- {                0x05,       112, 0,  8, "digestedData"                   }, /* 111 */
- {                0x06,         0, 0,  8, "encryptedData"                  }, /* 112 */
- {              0x09,         127, 1,  7, "PKCS-9"                         }, /* 113 */
- {                0x01,       115, 0,  8, "E"                              }, /* 114 */
- {                0x02,       116, 0,  8, "unstructuredName"               }, /* 115 */
- {                0x03,       117, 0,  8, "contentType"                    }, /* 116 */
- {                0x04,       118, 0,  8, "messageDigest"                  }, /* 117 */
- {                0x05,       119, 0,  8, "signingTime"                    }, /* 118 */
- {                0x06,       120, 0,  8, "counterSignature"               }, /* 119 */
- {                0x07,       121, 0,  8, "challengePassword"              }, /* 120 */
- {                0x08,       122, 0,  8, "unstructuredAddress"            }, /* 121 */
- {                0x0E,       123, 0,  8, "extensionRequest"               }, /* 122 */
- {                0x0F,       124, 0,  8, "S/MIME Capabilities"            }, /* 123 */
- {                0x16,         0, 1,  8, "certTypes"                      }, /* 124 */
- {                  0x01,     126, 0,  9, "X.509"                          }, /* 125 */
- {                  0x02,       0, 0,  9, "SDSI"                           }, /* 126 */
- {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 127 */
- {                0x01,       135, 1,  8, "pbeIds"                         }, /* 128 */
- {                  0x01,     130, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 129 */
- {                  0x02,     131, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 130 */
- {                  0x03,     132, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 131 */
- {                  0x04,     133, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 132 */
- {                  0x05,     134, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 133 */
- {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 134 */
- {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 135 */
- {                  0x01,       0, 1,  9, "bagIds"                         }, /* 136 */
- {                    0x01,   138, 0, 10, "keyBag"                         }, /* 137 */
- {                    0x02,   139, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 138 */
- {                    0x03,   140, 0, 10, "certBag"                        }, /* 139 */
- {                    0x04,   141, 0, 10, "crlBag"                         }, /* 140 */
- {                    0x05,   142, 0, 10, "secretBag"                      }, /* 141 */
- {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 142 */
- {            0x02,           146, 1,  6, "digestAlgorithm"                }, /* 143 */
- {              0x02,         145, 0,  7, "md2"                            }, /* 144 */
- {              0x05,           0, 0,  7, "md5"                            }, /* 145 */
- {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 146 */
- {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 147 */
- {      0xCE,                   0, 1,  3, ""                               }, /* 148 */
- {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 149 */
- {          0x02,             152, 1,  5, "id-publicKeyType"               }, /* 150 */
- {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 151 */
- {          0x03,             182, 1,  5, "ellipticCurve"                  }, /* 152 */
- {            0x00,           174, 1,  6, "c-TwoCurve"                     }, /* 153 */
- {              0x01,         155, 0,  7, "c2pnb163v1"                     }, /* 154 */
- {              0x02,         156, 0,  7, "c2pnb163v2"                     }, /* 155 */
- {              0x03,         157, 0,  7, "c2pnb163v3"                     }, /* 156 */
- {              0x04,         158, 0,  7, "c2pnb176w1"                     }, /* 157 */
- {              0x05,         159, 0,  7, "c2tnb191v1"                     }, /* 158 */
- {              0x06,         160, 0,  7, "c2tnb191v2"                     }, /* 159 */
- {              0x07,         161, 0,  7, "c2tnb191v3"                     }, /* 160 */
- {              0x08,         162, 0,  7, "c2onb191v4"                     }, /* 161 */
- {              0x09,         163, 0,  7, "c2onb191v5"                     }, /* 162 */
- {              0x0A,         164, 0,  7, "c2pnb208w1"                     }, /* 163 */
- {              0x0B,         165, 0,  7, "c2tnb239v1"                     }, /* 164 */
- {              0x0C,         166, 0,  7, "c2tnb239v2"                     }, /* 165 */
- {              0x0D,         167, 0,  7, "c2tnb239v3"                     }, /* 166 */
- {              0x0E,         168, 0,  7, "c2onb239v4"                     }, /* 167 */
- {              0x0F,         169, 0,  7, "c2onb239v5"                     }, /* 168 */
- {              0x10,         170, 0,  7, "c2pnb272w1"                     }, /* 169 */
- {              0x11,         171, 0,  7, "c2pnb304w1"                     }, /* 170 */
- {              0x12,         172, 0,  7, "c2tnb359v1"                     }, /* 171 */
- {              0x13,         173, 0,  7, "c2pnb368w1"                     }, /* 172 */
- {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 173 */
- {            0x01,             0, 1,  6, "primeCurve"                     }, /* 174 */
- {              0x01,         176, 0,  7, "prime192v1"                     }, /* 175 */
- {              0x02,         177, 0,  7, "prime192v2"                     }, /* 176 */
- {              0x03,         178, 0,  7, "prime192v3"                     }, /* 177 */
- {              0x04,         179, 0,  7, "prime239v1"                     }, /* 178 */
- {              0x05,         180, 0,  7, "prime239v2"                     }, /* 179 */
- {              0x06,         181, 0,  7, "prime239v3"                     }, /* 180 */
- {              0x07,           0, 0,  7, "prime256v1"                     }, /* 181 */
- {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 182 */
- {            0x01,           184, 0,  6, "ecdsa-with-SHA1"                }, /* 183 */
- {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 184 */
- {              0x01,         186, 0,  7, "ecdsa-with-SHA224"              }, /* 185 */
- {              0x02,         187, 0,  7, "ecdsa-with-SHA256"              }, /* 186 */
- {              0x03,         188, 0,  7, "ecdsa-with-SHA384"              }, /* 187 */
- {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 188 */
- {0x2B,                       416, 1,  0, ""                               }, /* 189 */
- {  0x06,                     330, 1,  1, "dod"                            }, /* 190 */
- {    0x01,                     0, 1,  2, "internet"                       }, /* 191 */
- {      0x04,                 281, 1,  3, "private"                        }, /* 192 */
- {        0x01,                 0, 1,  4, "enterprise"                     }, /* 193 */
- {          0x82,             231, 1,  5, ""                               }, /* 194 */
- {            0x37,           207, 1,  6, "Microsoft"                      }, /* 195 */
- {              0x0A,         200, 1,  7, ""                               }, /* 196 */
- {                0x03,         0, 1,  8, ""                               }, /* 197 */
- {                  0x03,     199, 0,  9, "msSGC"                          }, /* 198 */
- {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 199 */
- {              0x14,         204, 1,  7, "msEnrollmentInfrastructure"     }, /* 200 */
- {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 201 */
- {                  0x02,     203, 0,  9, "msSmartcardLogon"               }, /* 202 */
- {                  0x03,       0, 0,  9, "msUPN"                          }, /* 203 */
- {              0x15,           0, 1,  7, "msCertSrvInfrastructure"        }, /* 204 */
- {                0x07,       206, 0,  8, "msCertTemplate"                 }, /* 205 */
- {                0x0A,         0, 0,  8, "msApplicationCertPolicies"      }, /* 206 */
- {            0xA0,             0, 1,  6, ""                               }, /* 207 */
- {              0x2A,           0, 1,  7, "ITA"                            }, /* 208 */
- {                0x01,       210, 0,  8, "strongSwan"                     }, /* 209 */
- {                0x02,       211, 0,  8, "cps"                            }, /* 210 */
- {                0x03,       212, 0,  8, "e-voting"                       }, /* 211 */
- {                0x05,         0, 1,  8, "BLISS"                          }, /* 212 */
- {                  0x01,     215, 1,  9, "keyType"                        }, /* 213 */
- {                    0x01,     0, 0, 10, "blissPublicKey"                 }, /* 214 */
- {                  0x02,     224, 1,  9, "parameters"                     }, /* 215 */
- {                    0x01,   217, 0, 10, "BLISS-I"                        }, /* 216 */
- {                    0x02,   218, 0, 10, "BLISS-II"                       }, /* 217 */
- {                    0x03,   219, 0, 10, "BLISS-III"                      }, /* 218 */
- {                    0x04,   220, 0, 10, "BLISS-IV"                       }, /* 219 */
- {                    0x05,   221, 0, 10, "BLISS-B-I"                      }, /* 220 */
- {                    0x06,   222, 0, 10, "BLISS-B-II"                     }, /* 221 */
- {                    0x07,   223, 0, 10, "BLISS-B-III"                    }, /* 222 */
- {                    0x08,     0, 0, 10, "BLISS-B-IV"                     }, /* 223 */
- {                  0x03,       0, 1,  9, "blissSigType"                   }, /* 224 */
- {                    0x01,   226, 0, 10, "BLISS-with-SHA2-512"            }, /* 225 */
- {                    0x02,   227, 0, 10, "BLISS-with-SHA2-384"            }, /* 226 */
- {                    0x03,   228, 0, 10, "BLISS-with-SHA2-256"            }, /* 227 */
- {                    0x04,   229, 0, 10, "BLISS-with-SHA3-512"            }, /* 228 */
- {                    0x05,   230, 0, 10, "BLISS-with-SHA3-384"            }, /* 229 */
- {                    0x06,     0, 0, 10, "BLISS-with-SHA3-256"            }, /* 230 */
- {          0x89,             238, 1,  5, ""                               }, /* 231 */
- {            0x31,             0, 1,  6, ""                               }, /* 232 */
- {              0x01,           0, 1,  7, ""                               }, /* 233 */
- {                0x01,         0, 1,  8, ""                               }, /* 234 */
- {                  0x02,       0, 1,  9, ""                               }, /* 235 */
- {                    0x02,     0, 1, 10, ""                               }, /* 236 */
- {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 237 */
- {          0x97,             242, 1,  5, ""                               }, /* 238 */
- {            0x55,             0, 1,  6, ""                               }, /* 239 */
- {              0x01,           0, 1,  7, ""                               }, /* 240 */
- {                0x02,         0, 0,  8, "blowfish-cbc"                   }, /* 241 */
- {          0xC1,               0, 1,  5, ""                               }, /* 242 */
- {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 243 */
- {              0x01,           0, 1,  7, "eess"                           }, /* 244 */
- {                0x01,         0, 1,  8, "eess1"                          }, /* 245 */
- {                  0x01,     250, 1,  9, "eess1-algs"                     }, /* 246 */
- {                    0x01,   248, 0, 10, "ntru-EESS1v1-SVES"              }, /* 247 */
- {                    0x02,   249, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 248 */
- {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 249 */
- {                  0x02,     280, 1,  9, "eess1-params"                   }, /* 250 */
- {                    0x01,   252, 0, 10, "ees251ep1"                      }, /* 251 */
- {                    0x02,   253, 0, 10, "ees347ep1"                      }, /* 252 */
- {                    0x03,   254, 0, 10, "ees503ep1"                      }, /* 253 */
- {                    0x07,   255, 0, 10, "ees251sp2"                      }, /* 254 */
- {                    0x0C,   256, 0, 10, "ees251ep4"                      }, /* 255 */
- {                    0x0D,   257, 0, 10, "ees251ep5"                      }, /* 256 */
- {                    0x0E,   258, 0, 10, "ees251sp3"                      }, /* 257 */
- {                    0x0F,   259, 0, 10, "ees251sp4"                      }, /* 258 */
- {                    0x10,   260, 0, 10, "ees251sp5"                      }, /* 259 */
- {                    0x11,   261, 0, 10, "ees251sp6"                      }, /* 260 */
- {                    0x12,   262, 0, 10, "ees251sp7"                      }, /* 261 */
- {                    0x13,   263, 0, 10, "ees251sp8"                      }, /* 262 */
- {                    0x14,   264, 0, 10, "ees251sp9"                      }, /* 263 */
- {                    0x22,   265, 0, 10, "ees401ep1"                      }, /* 264 */
- {                    0x23,   266, 0, 10, "ees449ep1"                      }, /* 265 */
- {                    0x24,   267, 0, 10, "ees677ep1"                      }, /* 266 */
- {                    0x25,   268, 0, 10, "ees1087ep2"                     }, /* 267 */
- {                    0x26,   269, 0, 10, "ees541ep1"                      }, /* 268 */
- {                    0x27,   270, 0, 10, "ees613ep1"                      }, /* 269 */
- {                    0x28,   271, 0, 10, "ees887ep1"                      }, /* 270 */
- {                    0x29,   272, 0, 10, "ees1171ep1"                     }, /* 271 */
- {                    0x2A,   273, 0, 10, "ees659ep1"                      }, /* 272 */
- {                    0x2B,   274, 0, 10, "ees761ep1"                      }, /* 273 */
- {                    0x2C,   275, 0, 10, "ees1087ep1"                     }, /* 274 */
- {                    0x2D,   276, 0, 10, "ees1499ep1"                     }, /* 275 */
- {                    0x2E,   277, 0, 10, "ees401ep2"                      }, /* 276 */
- {                    0x2F,   278, 0, 10, "ees439ep1"                      }, /* 277 */
- {                    0x30,   279, 0, 10, "ees593ep1"                      }, /* 278 */
- {                    0x31,     0, 0, 10, "ees743ep1"                      }, /* 279 */
- {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 280 */
- {      0x05,                   0, 1,  3, "security"                       }, /* 281 */
- {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 282 */
- {          0x07,             327, 1,  5, "id-pkix"                        }, /* 283 */
- {            0x01,           288, 1,  6, "id-pe"                          }, /* 284 */
- {              0x01,         286, 0,  7, "authorityInfoAccess"            }, /* 285 */
- {              0x03,         287, 0,  7, "qcStatements"                   }, /* 286 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 287 */
- {            0x02,           291, 1,  6, "id-qt"                          }, /* 288 */
- {              0x01,         290, 0,  7, "cps"                            }, /* 289 */
- {              0x02,           0, 0,  7, "unotice"                        }, /* 290 */
- {            0x03,           301, 1,  6, "id-kp"                          }, /* 291 */
- {              0x01,         293, 0,  7, "serverAuth"                     }, /* 292 */
- {              0x02,         294, 0,  7, "clientAuth"                     }, /* 293 */
- {              0x03,         295, 0,  7, "codeSigning"                    }, /* 294 */
- {              0x04,         296, 0,  7, "emailProtection"                }, /* 295 */
- {              0x05,         297, 0,  7, "ipsecEndSystem"                 }, /* 296 */
- {              0x06,         298, 0,  7, "ipsecTunnel"                    }, /* 297 */
- {              0x07,         299, 0,  7, "ipsecUser"                      }, /* 298 */
- {              0x08,         300, 0,  7, "timeStamping"                   }, /* 299 */
- {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 300 */
- {            0x08,           309, 1,  6, "id-otherNames"                  }, /* 301 */
- {              0x01,         303, 0,  7, "personalData"                   }, /* 302 */
- {              0x02,         304, 0,  7, "userGroup"                      }, /* 303 */
- {              0x03,         305, 0,  7, "id-on-permanentIdentifier"      }, /* 304 */
- {              0x04,         306, 0,  7, "id-on-hardwareModuleName"       }, /* 305 */
- {              0x05,         307, 0,  7, "xmppAddr"                       }, /* 306 */
- {              0x06,         308, 0,  7, "id-on-SIM"                      }, /* 307 */
- {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 308 */
- {            0x0A,           314, 1,  6, "id-aca"                         }, /* 309 */
- {              0x01,         311, 0,  7, "authenticationInfo"             }, /* 310 */
- {              0x02,         312, 0,  7, "accessIdentity"                 }, /* 311 */
- {              0x03,         313, 0,  7, "chargingIdentity"               }, /* 312 */
- {              0x04,           0, 0,  7, "group"                          }, /* 313 */
- {            0x0B,           315, 0,  6, "subjectInfoAccess"              }, /* 314 */
- {            0x30,             0, 1,  6, "id-ad"                          }, /* 315 */
- {              0x01,         324, 1,  7, "ocsp"                           }, /* 316 */
- {                0x01,       318, 0,  8, "basic"                          }, /* 317 */
- {                0x02,       319, 0,  8, "nonce"                          }, /* 318 */
- {                0x03,       320, 0,  8, "crl"                            }, /* 319 */
- {                0x04,       321, 0,  8, "response"                       }, /* 320 */
- {                0x05,       322, 0,  8, "noCheck"                        }, /* 321 */
- {                0x06,       323, 0,  8, "archiveCutoff"                  }, /* 322 */
- {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 323 */
- {              0x02,         325, 0,  7, "caIssuers"                      }, /* 324 */
- {              0x03,         326, 0,  7, "timeStamping"                   }, /* 325 */
- {              0x05,           0, 0,  7, "caRepository"                   }, /* 326 */
- {          0x08,               0, 1,  5, "ipsec"                          }, /* 327 */
- {            0x02,             0, 1,  6, "certificate"                    }, /* 328 */
- {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 329 */
- {  0x0E,                     336, 1,  1, "oiw"                            }, /* 330 */
- {    0x03,                     0, 1,  2, "secsig"                         }, /* 331 */
- {      0x02,                   0, 1,  3, "algorithms"                     }, /* 332 */
- {        0x07,               334, 0,  4, "des-cbc"                        }, /* 333 */
- {        0x1A,               335, 0,  4, "sha-1"                          }, /* 334 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 335 */
- {  0x24,                     382, 1,  1, "TeleTrusT"                      }, /* 336 */
- {    0x03,                     0, 1,  2, "algorithm"                      }, /* 337 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 338 */
- {        0x01,               343, 1,  4, "rsaSignature"                   }, /* 339 */
- {          0x02,             341, 0,  5, "rsaSigWithripemd160"            }, /* 340 */
- {          0x03,             342, 0,  5, "rsaSigWithripemd128"            }, /* 341 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 342 */
- {        0x02,                 0, 1,  4, "ecSign"                         }, /* 343 */
- {          0x01,             345, 0,  5, "ecSignWithsha1"                 }, /* 344 */
- {          0x02,             346, 0,  5, "ecSignWithripemd160"            }, /* 345 */
- {          0x03,             347, 0,  5, "ecSignWithmd2"                  }, /* 346 */
- {          0x04,             348, 0,  5, "ecSignWithmd5"                  }, /* 347 */
- {          0x05,             365, 1,  5, "ttt-ecg"                        }, /* 348 */
- {            0x01,           353, 1,  6, "fieldType"                      }, /* 349 */
- {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 350 */
- {                0x01,         0, 1,  8, "basisType"                      }, /* 351 */
- {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 352 */
- {            0x02,           355, 1,  6, "keyType"                        }, /* 353 */
- {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 354 */
- {            0x03,           356, 0,  6, "curve"                          }, /* 355 */
- {            0x04,           363, 1,  6, "signatures"                     }, /* 356 */
- {              0x01,         358, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 357 */
- {              0x02,         359, 0,  7, "ecgdsa-with-SHA1"               }, /* 358 */
- {              0x03,         360, 0,  7, "ecgdsa-with-SHA224"             }, /* 359 */
- {              0x04,         361, 0,  7, "ecgdsa-with-SHA256"             }, /* 360 */
- {              0x05,         362, 0,  7, "ecgdsa-with-SHA384"             }, /* 361 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 362 */
- {            0x05,             0, 1,  6, "module"                         }, /* 363 */
- {              0x01,           0, 0,  7, "1"                              }, /* 364 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 365 */
- {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 366 */
- {              0x01,           0, 1,  7, "versionOne"                     }, /* 367 */
- {                0x01,       369, 0,  8, "brainpoolP160r1"                }, /* 368 */
- {                0x02,       370, 0,  8, "brainpoolP160t1"                }, /* 369 */
- {                0x03,       371, 0,  8, "brainpoolP192r1"                }, /* 370 */
- {                0x04,       372, 0,  8, "brainpoolP192t1"                }, /* 371 */
- {                0x05,       373, 0,  8, "brainpoolP224r1"                }, /* 372 */
- {                0x06,       374, 0,  8, "brainpoolP224t1"                }, /* 373 */
- {                0x07,       375, 0,  8, "brainpoolP256r1"                }, /* 374 */
- {                0x08,       376, 0,  8, "brainpoolP256t1"                }, /* 375 */
- {                0x09,       377, 0,  8, "brainpoolP320r1"                }, /* 376 */
- {                0x0A,       378, 0,  8, "brainpoolP320t1"                }, /* 377 */
- {                0x0B,       379, 0,  8, "brainpoolP384r1"                }, /* 378 */
- {                0x0C,       380, 0,  8, "brainpoolP384t1"                }, /* 379 */
- {                0x0D,       381, 0,  8, "brainpoolP512r1"                }, /* 380 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 381 */
- {  0x81,                       0, 1,  1, ""                               }, /* 382 */
- {    0x04,                     0, 1,  2, "Certicom"                       }, /* 383 */
- {      0x00,                   0, 1,  3, "curve"                          }, /* 384 */
- {        0x01,               386, 0,  4, "sect163k1"                      }, /* 385 */
- {        0x02,               387, 0,  4, "sect163r1"                      }, /* 386 */
- {        0x03,               388, 0,  4, "sect239k1"                      }, /* 387 */
- {        0x04,               389, 0,  4, "sect113r1"                      }, /* 388 */
- {        0x05,               390, 0,  4, "sect113r2"                      }, /* 389 */
- {        0x06,               391, 0,  4, "secp112r1"                      }, /* 390 */
- {        0x07,               392, 0,  4, "secp112r2"                      }, /* 391 */
- {        0x08,               393, 0,  4, "secp160r1"                      }, /* 392 */
- {        0x09,               394, 0,  4, "secp160k1"                      }, /* 393 */
- {        0x0A,               395, 0,  4, "secp256k1"                      }, /* 394 */
- {        0x0F,               396, 0,  4, "sect163r2"                      }, /* 395 */
- {        0x10,               397, 0,  4, "sect283k1"                      }, /* 396 */
- {        0x11,               398, 0,  4, "sect283r1"                      }, /* 397 */
- {        0x16,               399, 0,  4, "sect131r1"                      }, /* 398 */
- {        0x17,               400, 0,  4, "sect131r2"                      }, /* 399 */
- {        0x18,               401, 0,  4, "sect193r1"                      }, /* 400 */
- {        0x19,               402, 0,  4, "sect193r2"                      }, /* 401 */
- {        0x1A,               403, 0,  4, "sect233k1"                      }, /* 402 */
- {        0x1B,               404, 0,  4, "sect233r1"                      }, /* 403 */
- {        0x1C,               405, 0,  4, "secp128r1"                      }, /* 404 */
- {        0x1D,               406, 0,  4, "secp128r2"                      }, /* 405 */
- {        0x1E,               407, 0,  4, "secp160r2"                      }, /* 406 */
- {        0x1F,               408, 0,  4, "secp192k1"                      }, /* 407 */
- {        0x20,               409, 0,  4, "secp224k1"                      }, /* 408 */
- {        0x21,               410, 0,  4, "secp224r1"                      }, /* 409 */
- {        0x22,               411, 0,  4, "secp384r1"                      }, /* 410 */
- {        0x23,               412, 0,  4, "secp521r1"                      }, /* 411 */
- {        0x24,               413, 0,  4, "sect409k1"                      }, /* 412 */
- {        0x25,               414, 0,  4, "sect409r1"                      }, /* 413 */
- {        0x26,               415, 0,  4, "sect571k1"                      }, /* 414 */
- {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 415 */
- {0x60,                       470, 1,  0, ""                               }, /* 416 */
- {  0x86,                       0, 1,  1, ""                               }, /* 417 */
- {    0x48,                     0, 1,  2, ""                               }, /* 418 */
- {      0x01,                   0, 1,  3, "organization"                   }, /* 419 */
- {        0x65,               446, 1,  4, "gov"                            }, /* 420 */
- {          0x03,               0, 1,  5, "csor"                           }, /* 421 */
- {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 422 */
- {              0x01,         433, 1,  7, "aes"                            }, /* 423 */
- {                0x02,       425, 0,  8, "id-aes128-CBC"                  }, /* 424 */
- {                0x06,       426, 0,  8, "id-aes128-GCM"                  }, /* 425 */
- {                0x07,       427, 0,  8, "id-aes128-CCM"                  }, /* 426 */
- {                0x16,       428, 0,  8, "id-aes192-CBC"                  }, /* 427 */
- {                0x1A,       429, 0,  8, "id-aes192-GCM"                  }, /* 428 */
- {                0x1B,       430, 0,  8, "id-aes192-CCM"                  }, /* 429 */
- {                0x2A,       431, 0,  8, "id-aes256-CBC"                  }, /* 430 */
- {                0x2E,       432, 0,  8, "id-aes256-GCM"                  }, /* 431 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 432 */
- {              0x02,           0, 1,  7, "hashalgs"                       }, /* 433 */
- {                0x01,       435, 0,  8, "id-sha256"                      }, /* 434 */
- {                0x02,       436, 0,  8, "id-sha384"                      }, /* 435 */
- {                0x03,       437, 0,  8, "id-sha512"                      }, /* 436 */
- {                0x04,       438, 0,  8, "id-sha224"                      }, /* 437 */
- {                0x05,       439, 0,  8, "id-sha512-224"                  }, /* 438 */
- {                0x06,       440, 0,  8, "id-sha512-256"                  }, /* 439 */
- {                0x07,       441, 0,  8, "id-sha3-224"                    }, /* 440 */
- {                0x08,       442, 0,  8, "id-sha3-256"                    }, /* 441 */
- {                0x09,       443, 0,  8, "id-sha3-384"                    }, /* 442 */
- {                0x0A,       444, 0,  8, "id-sha3-512"                    }, /* 443 */
- {                0x0B,       445, 0,  8, "id-shake128"                    }, /* 444 */
- {                0x0C,         0, 0,  8, "id-shake256"                    }, /* 445 */
- {        0x86,                 0, 1,  4, ""                               }, /* 446 */
- {          0xf8,               0, 1,  5, ""                               }, /* 447 */
- {            0x42,           460, 1,  6, "netscape"                       }, /* 448 */
- {              0x01,         455, 1,  7, ""                               }, /* 449 */
- {                0x01,       451, 0,  8, "nsCertType"                     }, /* 450 */
- {                0x03,       452, 0,  8, "nsRevocationUrl"                }, /* 451 */
- {                0x04,       453, 0,  8, "nsCaRevocationUrl"              }, /* 452 */
- {                0x08,       454, 0,  8, "nsCaPolicyUrl"                  }, /* 453 */
- {                0x0d,         0, 0,  8, "nsComment"                      }, /* 454 */
- {              0x03,         458, 1,  7, "directory"                      }, /* 455 */
- {                0x01,         0, 1,  8, ""                               }, /* 456 */
- {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 457 */
- {              0x04,           0, 1,  7, "policy"                         }, /* 458 */
- {                0x01,         0, 0,  8, "nsSGC"                          }, /* 459 */
- {            0x45,             0, 1,  6, "verisign"                       }, /* 460 */
- {              0x01,           0, 1,  7, "pki"                            }, /* 461 */
- {                0x09,         0, 1,  8, "attributes"                     }, /* 462 */
- {                  0x02,     464, 0,  9, "messageType"                    }, /* 463 */
- {                  0x03,     465, 0,  9, "pkiStatus"                      }, /* 464 */
- {                  0x04,     466, 0,  9, "failInfo"                       }, /* 465 */
- {                  0x05,     467, 0,  9, "senderNonce"                    }, /* 466 */
- {                  0x06,     468, 0,  9, "recipientNonce"                 }, /* 467 */
- {                  0x07,     469, 0,  9, "transID"                        }, /* 468 */
- {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 469 */
- {0x67,                         0, 1,  0, ""                               }, /* 470 */
- {  0x81,                       0, 1,  1, ""                               }, /* 471 */
- {    0x05,                     0, 1,  2, ""                               }, /* 472 */
- {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 473 */
- {        0x01,               475, 0,  4, "tcg-at-tpmManufacturer"         }, /* 474 */
- {        0x02,               476, 0,  4, "tcg-at-tpmModel"                }, /* 475 */
- {        0x03,               477, 0,  4, "tcg-at-tpmVersion"              }, /* 476 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 477 */
+ {    0x41,                    37, 0,  2, "pseudonym"                      }, /*  36 */
+ {    0x48,                     0, 0,  2, "role"                           }, /*  37 */
+ {  0x1D,                       0, 1,  1, "id-ce"                          }, /*  38 */
+ {    0x09,                    40, 0,  2, "subjectDirectoryAttrs"          }, /*  39 */
+ {    0x0E,                    41, 0,  2, "subjectKeyIdentifier"           }, /*  40 */
+ {    0x0F,                    42, 0,  2, "keyUsage"                       }, /*  41 */
+ {    0x10,                    43, 0,  2, "privateKeyUsagePeriod"          }, /*  42 */
+ {    0x11,                    44, 0,  2, "subjectAltName"                 }, /*  43 */
+ {    0x12,                    45, 0,  2, "issuerAltName"                  }, /*  44 */
+ {    0x13,                    46, 0,  2, "basicConstraints"               }, /*  45 */
+ {    0x14,                    47, 0,  2, "crlNumber"                      }, /*  46 */
+ {    0x15,                    48, 0,  2, "reasonCode"                     }, /*  47 */
+ {    0x17,                    49, 0,  2, "holdInstructionCode"            }, /*  48 */
+ {    0x18,                    50, 0,  2, "invalidityDate"                 }, /*  49 */
+ {    0x1B,                    51, 0,  2, "deltaCrlIndicator"              }, /*  50 */
+ {    0x1C,                    52, 0,  2, "issuingDistributionPoint"       }, /*  51 */
+ {    0x1D,                    53, 0,  2, "certificateIssuer"              }, /*  52 */
+ {    0x1E,                    54, 0,  2, "nameConstraints"                }, /*  53 */
+ {    0x1F,                    55, 0,  2, "crlDistributionPoints"          }, /*  54 */
+ {    0x20,                    57, 1,  2, "certificatePolicies"            }, /*  55 */
+ {      0x00,                   0, 0,  3, "anyPolicy"                      }, /*  56 */
+ {    0x21,                    58, 0,  2, "policyMappings"                 }, /*  57 */
+ {    0x23,                    59, 0,  2, "authorityKeyIdentifier"         }, /*  58 */
+ {    0x24,                    60, 0,  2, "policyConstraints"              }, /*  59 */
+ {    0x25,                    62, 1,  2, "extendedKeyUsage"               }, /*  60 */
+ {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"            }, /*  61 */
+ {    0x2E,                    63, 0,  2, "freshestCRL"                    }, /*  62 */
+ {    0x36,                    64, 0,  2, "inhibitAnyPolicy"               }, /*  63 */
+ {    0x37,                    65, 0,  2, "targetInformation"              }, /*  64 */
+ {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  65 */
+ {0x2A,                       190, 1,  0, ""                               }, /*  66 */
+ {  0x83,                      79, 1,  1, ""                               }, /*  67 */
+ {    0x08,                     0, 1,  2, "jp"                             }, /*  68 */
+ {      0x8C,                   0, 1,  3, ""                               }, /*  69 */
+ {        0x9A,                 0, 1,  4, ""                               }, /*  70 */
+ {          0x4B,               0, 1,  5, ""                               }, /*  71 */
+ {            0x3D,             0, 1,  6, ""                               }, /*  72 */
+ {              0x01,           0, 1,  7, "security"                       }, /*  73 */
+ {                0x01,         0, 1,  8, "algorithm"                      }, /*  74 */
+ {                  0x01,       0, 1,  9, "symm-encryption-alg"            }, /*  75 */
+ {                    0x02,    77, 0, 10, "camellia128-cbc"                }, /*  76 */
+ {                    0x03,    78, 0, 10, "camellia192-cbc"                }, /*  77 */
+ {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  78 */
+ {  0x86,                       0, 1,  1, ""                               }, /*  79 */
+ {    0x48,                     0, 1,  2, "us"                             }, /*  80 */
+ {      0x86,                 149, 1,  3, ""                               }, /*  81 */
+ {        0xF6,                87, 1,  4, ""                               }, /*  82 */
+ {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  83 */
+ {            0x07,             0, 1,  6, "Entrust"                        }, /*  84 */
+ {              0x41,           0, 1,  7, "nsn-ce"                         }, /*  85 */
+ {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  86 */
+ {        0xF7,                 0, 1,  4, ""                               }, /*  87 */
+ {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  88 */
+ {            0x01,           144, 1,  6, "PKCS"                           }, /*  89 */
+ {              0x01,         102, 1,  7, "PKCS-1"                         }, /*  90 */
+ {                0x01,        92, 0,  8, "rsaEncryption"                  }, /*  91 */
+ {                0x02,        93, 0,  8, "md2WithRSAEncryption"           }, /*  92 */
+ {                0x04,        94, 0,  8, "md5WithRSAEncryption"           }, /*  93 */
+ {                0x05,        95, 0,  8, "sha-1WithRSAEncryption"         }, /*  94 */
+ {                0x07,        96, 0,  8, "id-RSAES-OAEP"                  }, /*  95 */
+ {                0x08,        97, 0,  8, "id-mgf1"                        }, /*  96 */
+ {                0x09,        98, 0,  8, "id-pSpecified"                  }, /*  97 */
+ {                0x0B,        99, 0,  8, "sha256WithRSAEncryption"        }, /*  98 */
+ {                0x0C,       100, 0,  8, "sha384WithRSAEncryption"        }, /*  99 */
+ {                0x0D,       101, 0,  8, "sha512WithRSAEncryption"        }, /* 100 */
+ {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /* 101 */
+ {              0x05,         107, 1,  7, "PKCS-5"                         }, /* 102 */
+ {                0x03,       104, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 103 */
+ {                0x0A,       105, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 104 */
+ {                0x0C,       106, 0,  8, "id-PBKDF2"                      }, /* 105 */
+ {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 106 */
+ {              0x07,         114, 1,  7, "PKCS-7"                         }, /* 107 */
+ {                0x01,       109, 0,  8, "data"                           }, /* 108 */
+ {                0x02,       110, 0,  8, "signedData"                     }, /* 109 */
+ {                0x03,       111, 0,  8, "envelopedData"                  }, /* 110 */
+ {                0x04,       112, 0,  8, "signedAndEnvelopedData"         }, /* 111 */
+ {                0x05,       113, 0,  8, "digestedData"                   }, /* 112 */
+ {                0x06,         0, 0,  8, "encryptedData"                  }, /* 113 */
+ {              0x09,         128, 1,  7, "PKCS-9"                         }, /* 114 */
+ {                0x01,       116, 0,  8, "E"                              }, /* 115 */
+ {                0x02,       117, 0,  8, "unstructuredName"               }, /* 116 */
+ {                0x03,       118, 0,  8, "contentType"                    }, /* 117 */
+ {                0x04,       119, 0,  8, "messageDigest"                  }, /* 118 */
+ {                0x05,       120, 0,  8, "signingTime"                    }, /* 119 */
+ {                0x06,       121, 0,  8, "counterSignature"               }, /* 120 */
+ {                0x07,       122, 0,  8, "challengePassword"              }, /* 121 */
+ {                0x08,       123, 0,  8, "unstructuredAddress"            }, /* 122 */
+ {                0x0E,       124, 0,  8, "extensionRequest"               }, /* 123 */
+ {                0x0F,       125, 0,  8, "S/MIME Capabilities"            }, /* 124 */
+ {                0x16,         0, 1,  8, "certTypes"                      }, /* 125 */
+ {                  0x01,     127, 0,  9, "X.509"                          }, /* 126 */
+ {                  0x02,       0, 0,  9, "SDSI"                           }, /* 127 */
+ {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 128 */
+ {                0x01,       136, 1,  8, "pbeIds"                         }, /* 129 */
+ {                  0x01,     131, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 130 */
+ {                  0x02,     132, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 131 */
+ {                  0x03,     133, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 132 */
+ {                  0x04,     134, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 133 */
+ {                  0x05,     135, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 134 */
+ {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 135 */
+ {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 136 */
+ {                  0x01,       0, 1,  9, "bagIds"                         }, /* 137 */
+ {                    0x01,   139, 0, 10, "keyBag"                         }, /* 138 */
+ {                    0x02,   140, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 139 */
+ {                    0x03,   141, 0, 10, "certBag"                        }, /* 140 */
+ {                    0x04,   142, 0, 10, "crlBag"                         }, /* 141 */
+ {                    0x05,   143, 0, 10, "secretBag"                      }, /* 142 */
+ {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 143 */
+ {            0x02,           147, 1,  6, "digestAlgorithm"                }, /* 144 */
+ {              0x02,         146, 0,  7, "md2"                            }, /* 145 */
+ {              0x05,           0, 0,  7, "md5"                            }, /* 146 */
+ {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 147 */
+ {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 148 */
+ {      0xCE,                   0, 1,  3, ""                               }, /* 149 */
+ {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 150 */
+ {          0x02,             153, 1,  5, "id-publicKeyType"               }, /* 151 */
+ {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 152 */
+ {          0x03,             183, 1,  5, "ellipticCurve"                  }, /* 153 */
+ {            0x00,           175, 1,  6, "c-TwoCurve"                     }, /* 154 */
+ {              0x01,         156, 0,  7, "c2pnb163v1"                     }, /* 155 */
+ {              0x02,         157, 0,  7, "c2pnb163v2"                     }, /* 156 */
+ {              0x03,         158, 0,  7, "c2pnb163v3"                     }, /* 157 */
+ {              0x04,         159, 0,  7, "c2pnb176w1"                     }, /* 158 */
+ {              0x05,         160, 0,  7, "c2tnb191v1"                     }, /* 159 */
+ {              0x06,         161, 0,  7, "c2tnb191v2"                     }, /* 160 */
+ {              0x07,         162, 0,  7, "c2tnb191v3"                     }, /* 161 */
+ {              0x08,         163, 0,  7, "c2onb191v4"                     }, /* 162 */
+ {              0x09,         164, 0,  7, "c2onb191v5"                     }, /* 163 */
+ {              0x0A,         165, 0,  7, "c2pnb208w1"                     }, /* 164 */
+ {              0x0B,         166, 0,  7, "c2tnb239v1"                     }, /* 165 */
+ {              0x0C,         167, 0,  7, "c2tnb239v2"                     }, /* 166 */
+ {              0x0D,         168, 0,  7, "c2tnb239v3"                     }, /* 167 */
+ {              0x0E,         169, 0,  7, "c2onb239v4"                     }, /* 168 */
+ {              0x0F,         170, 0,  7, "c2onb239v5"                     }, /* 169 */
+ {              0x10,         171, 0,  7, "c2pnb272w1"                     }, /* 170 */
+ {              0x11,         172, 0,  7, "c2pnb304w1"                     }, /* 171 */
+ {              0x12,         173, 0,  7, "c2tnb359v1"                     }, /* 172 */
+ {              0x13,         174, 0,  7, "c2pnb368w1"                     }, /* 173 */
+ {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 174 */
+ {            0x01,             0, 1,  6, "primeCurve"                     }, /* 175 */
+ {              0x01,         177, 0,  7, "prime192v1"                     }, /* 176 */
+ {              0x02,         178, 0,  7, "prime192v2"                     }, /* 177 */
+ {              0x03,         179, 0,  7, "prime192v3"                     }, /* 178 */
+ {              0x04,         180, 0,  7, "prime239v1"                     }, /* 179 */
+ {              0x05,         181, 0,  7, "prime239v2"                     }, /* 180 */
+ {              0x06,         182, 0,  7, "prime239v3"                     }, /* 181 */
+ {              0x07,           0, 0,  7, "prime256v1"                     }, /* 182 */
+ {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 183 */
+ {            0x01,           185, 0,  6, "ecdsa-with-SHA1"                }, /* 184 */
+ {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 185 */
+ {              0x01,         187, 0,  7, "ecdsa-with-SHA224"              }, /* 186 */
+ {              0x02,         188, 0,  7, "ecdsa-with-SHA256"              }, /* 187 */
+ {              0x03,         189, 0,  7, "ecdsa-with-SHA384"              }, /* 188 */
+ {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 189 */
+ {0x2B,                       417, 1,  0, ""                               }, /* 190 */
+ {  0x06,                     331, 1,  1, "dod"                            }, /* 191 */
+ {    0x01,                     0, 1,  2, "internet"                       }, /* 192 */
+ {      0x04,                 282, 1,  3, "private"                        }, /* 193 */
+ {        0x01,                 0, 1,  4, "enterprise"                     }, /* 194 */
+ {          0x82,             232, 1,  5, ""                               }, /* 195 */
+ {            0x37,           208, 1,  6, "Microsoft"                      }, /* 196 */
+ {              0x0A,         201, 1,  7, ""                               }, /* 197 */
+ {                0x03,         0, 1,  8, ""                               }, /* 198 */
+ {                  0x03,     200, 0,  9, "msSGC"                          }, /* 199 */
+ {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 200 */
+ {              0x14,         205, 1,  7, "msEnrollmentInfrastructure"     }, /* 201 */
+ {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 202 */
+ {                  0x02,     204, 0,  9, "msSmartcardLogon"               }, /* 203 */
+ {                  0x03,       0, 0,  9, "msUPN"                          }, /* 204 */
+ {              0x15,           0, 1,  7, "msCertSrvInfrastructure"        }, /* 205 */
+ {                0x07,       207, 0,  8, "msCertTemplate"                 }, /* 206 */
+ {                0x0A,         0, 0,  8, "msApplicationCertPolicies"      }, /* 207 */
+ {            0xA0,             0, 1,  6, ""                               }, /* 208 */
+ {              0x2A,           0, 1,  7, "ITA"                            }, /* 209 */
+ {                0x01,       211, 0,  8, "strongSwan"                     }, /* 210 */
+ {                0x02,       212, 0,  8, "cps"                            }, /* 211 */
+ {                0x03,       213, 0,  8, "e-voting"                       }, /* 212 */
+ {                0x05,         0, 1,  8, "BLISS"                          }, /* 213 */
+ {                  0x01,     216, 1,  9, "keyType"                        }, /* 214 */
+ {                    0x01,     0, 0, 10, "blissPublicKey"                 }, /* 215 */
+ {                  0x02,     225, 1,  9, "parameters"                     }, /* 216 */
+ {                    0x01,   218, 0, 10, "BLISS-I"                        }, /* 217 */
+ {                    0x02,   219, 0, 10, "BLISS-II"                       }, /* 218 */
+ {                    0x03,   220, 0, 10, "BLISS-III"                      }, /* 219 */
+ {                    0x04,   221, 0, 10, "BLISS-IV"                       }, /* 220 */
+ {                    0x05,   222, 0, 10, "BLISS-B-I"                      }, /* 221 */
+ {                    0x06,   223, 0, 10, "BLISS-B-II"                     }, /* 222 */
+ {                    0x07,   224, 0, 10, "BLISS-B-III"                    }, /* 223 */
+ {                    0x08,     0, 0, 10, "BLISS-B-IV"                     }, /* 224 */
+ {                  0x03,       0, 1,  9, "blissSigType"                   }, /* 225 */
+ {                    0x01,   227, 0, 10, "BLISS-with-SHA2-512"            }, /* 226 */
+ {                    0x02,   228, 0, 10, "BLISS-with-SHA2-384"            }, /* 227 */
+ {                    0x03,   229, 0, 10, "BLISS-with-SHA2-256"            }, /* 228 */
+ {                    0x04,   230, 0, 10, "BLISS-with-SHA3-512"            }, /* 229 */
+ {                    0x05,   231, 0, 10, "BLISS-with-SHA3-384"            }, /* 230 */
+ {                    0x06,     0, 0, 10, "BLISS-with-SHA3-256"            }, /* 231 */
+ {          0x89,             239, 1,  5, ""                               }, /* 232 */
+ {            0x31,             0, 1,  6, ""                               }, /* 233 */
+ {              0x01,           0, 1,  7, ""                               }, /* 234 */
+ {                0x01,         0, 1,  8, ""                               }, /* 235 */
+ {                  0x02,       0, 1,  9, ""                               }, /* 236 */
+ {                    0x02,     0, 1, 10, ""                               }, /* 237 */
+ {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 238 */
+ {          0x97,             243, 1,  5, ""                               }, /* 239 */
+ {            0x55,             0, 1,  6, ""                               }, /* 240 */
+ {              0x01,           0, 1,  7, ""                               }, /* 241 */
+ {                0x02,         0, 0,  8, "blowfish-cbc"                   }, /* 242 */
+ {          0xC1,               0, 1,  5, ""                               }, /* 243 */
+ {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 244 */
+ {              0x01,           0, 1,  7, "eess"                           }, /* 245 */
+ {                0x01,         0, 1,  8, "eess1"                          }, /* 246 */
+ {                  0x01,     251, 1,  9, "eess1-algs"                     }, /* 247 */
+ {                    0x01,   249, 0, 10, "ntru-EESS1v1-SVES"              }, /* 248 */
+ {                    0x02,   250, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 249 */
+ {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 250 */
+ {                  0x02,     281, 1,  9, "eess1-params"                   }, /* 251 */
+ {                    0x01,   253, 0, 10, "ees251ep1"                      }, /* 252 */
+ {                    0x02,   254, 0, 10, "ees347ep1"                      }, /* 253 */
+ {                    0x03,   255, 0, 10, "ees503ep1"                      }, /* 254 */
+ {                    0x07,   256, 0, 10, "ees251sp2"                      }, /* 255 */
+ {                    0x0C,   257, 0, 10, "ees251ep4"                      }, /* 256 */
+ {                    0x0D,   258, 0, 10, "ees251ep5"                      }, /* 257 */
+ {                    0x0E,   259, 0, 10, "ees251sp3"                      }, /* 258 */
+ {                    0x0F,   260, 0, 10, "ees251sp4"                      }, /* 259 */
+ {                    0x10,   261, 0, 10, "ees251sp5"                      }, /* 260 */
+ {                    0x11,   262, 0, 10, "ees251sp6"                      }, /* 261 */
+ {                    0x12,   263, 0, 10, "ees251sp7"                      }, /* 262 */
+ {                    0x13,   264, 0, 10, "ees251sp8"                      }, /* 263 */
+ {                    0x14,   265, 0, 10, "ees251sp9"                      }, /* 264 */
+ {                    0x22,   266, 0, 10, "ees401ep1"                      }, /* 265 */
+ {                    0x23,   267, 0, 10, "ees449ep1"                      }, /* 266 */
+ {                    0x24,   268, 0, 10, "ees677ep1"                      }, /* 267 */
+ {                    0x25,   269, 0, 10, "ees1087ep2"                     }, /* 268 */
+ {                    0x26,   270, 0, 10, "ees541ep1"                      }, /* 269 */
+ {                    0x27,   271, 0, 10, "ees613ep1"                      }, /* 270 */
+ {                    0x28,   272, 0, 10, "ees887ep1"                      }, /* 271 */
+ {                    0x29,   273, 0, 10, "ees1171ep1"                     }, /* 272 */
+ {                    0x2A,   274, 0, 10, "ees659ep1"                      }, /* 273 */
+ {                    0x2B,   275, 0, 10, "ees761ep1"                      }, /* 274 */
+ {                    0x2C,   276, 0, 10, "ees1087ep1"                     }, /* 275 */
+ {                    0x2D,   277, 0, 10, "ees1499ep1"                     }, /* 276 */
+ {                    0x2E,   278, 0, 10, "ees401ep2"                      }, /* 277 */
+ {                    0x2F,   279, 0, 10, "ees439ep1"                      }, /* 278 */
+ {                    0x30,   280, 0, 10, "ees593ep1"                      }, /* 279 */
+ {                    0x31,     0, 0, 10, "ees743ep1"                      }, /* 280 */
+ {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 281 */
+ {      0x05,                   0, 1,  3, "security"                       }, /* 282 */
+ {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 283 */
+ {          0x07,             328, 1,  5, "id-pkix"                        }, /* 284 */
+ {            0x01,           289, 1,  6, "id-pe"                          }, /* 285 */
+ {              0x01,         287, 0,  7, "authorityInfoAccess"            }, /* 286 */
+ {              0x03,         288, 0,  7, "qcStatements"                   }, /* 287 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 288 */
+ {            0x02,           292, 1,  6, "id-qt"                          }, /* 289 */
+ {              0x01,         291, 0,  7, "cps"                            }, /* 290 */
+ {              0x02,           0, 0,  7, "unotice"                        }, /* 291 */
+ {            0x03,           302, 1,  6, "id-kp"                          }, /* 292 */
+ {              0x01,         294, 0,  7, "serverAuth"                     }, /* 293 */
+ {              0x02,         295, 0,  7, "clientAuth"                     }, /* 294 */
+ {              0x03,         296, 0,  7, "codeSigning"                    }, /* 295 */
+ {              0x04,         297, 0,  7, "emailProtection"                }, /* 296 */
+ {              0x05,         298, 0,  7, "ipsecEndSystem"                 }, /* 297 */
+ {              0x06,         299, 0,  7, "ipsecTunnel"                    }, /* 298 */
+ {              0x07,         300, 0,  7, "ipsecUser"                      }, /* 299 */
+ {              0x08,         301, 0,  7, "timeStamping"                   }, /* 300 */
+ {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 301 */
+ {            0x08,           310, 1,  6, "id-otherNames"                  }, /* 302 */
+ {              0x01,         304, 0,  7, "personalData"                   }, /* 303 */
+ {              0x02,         305, 0,  7, "userGroup"                      }, /* 304 */
+ {              0x03,         306, 0,  7, "id-on-permanentIdentifier"      }, /* 305 */
+ {              0x04,         307, 0,  7, "id-on-hardwareModuleName"       }, /* 306 */
+ {              0x05,         308, 0,  7, "xmppAddr"                       }, /* 307 */
+ {              0x06,         309, 0,  7, "id-on-SIM"                      }, /* 308 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 309 */
+ {            0x0A,           315, 1,  6, "id-aca"                         }, /* 310 */
+ {              0x01,         312, 0,  7, "authenticationInfo"             }, /* 311 */
+ {              0x02,         313, 0,  7, "accessIdentity"                 }, /* 312 */
+ {              0x03,         314, 0,  7, "chargingIdentity"               }, /* 313 */
+ {              0x04,           0, 0,  7, "group"                          }, /* 314 */
+ {            0x0B,           316, 0,  6, "subjectInfoAccess"              }, /* 315 */
+ {            0x30,             0, 1,  6, "id-ad"                          }, /* 316 */
+ {              0x01,         325, 1,  7, "ocsp"                           }, /* 317 */
+ {                0x01,       319, 0,  8, "basic"                          }, /* 318 */
+ {                0x02,       320, 0,  8, "nonce"                          }, /* 319 */
+ {                0x03,       321, 0,  8, "crl"                            }, /* 320 */
+ {                0x04,       322, 0,  8, "response"                       }, /* 321 */
+ {                0x05,       323, 0,  8, "noCheck"                        }, /* 322 */
+ {                0x06,       324, 0,  8, "archiveCutoff"                  }, /* 323 */
+ {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 324 */
+ {              0x02,         326, 0,  7, "caIssuers"                      }, /* 325 */
+ {              0x03,         327, 0,  7, "timeStamping"                   }, /* 326 */
+ {              0x05,           0, 0,  7, "caRepository"                   }, /* 327 */
+ {          0x08,               0, 1,  5, "ipsec"                          }, /* 328 */
+ {            0x02,             0, 1,  6, "certificate"                    }, /* 329 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 330 */
+ {  0x0E,                     337, 1,  1, "oiw"                            }, /* 331 */
+ {    0x03,                     0, 1,  2, "secsig"                         }, /* 332 */
+ {      0x02,                   0, 1,  3, "algorithms"                     }, /* 333 */
+ {        0x07,               335, 0,  4, "des-cbc"                        }, /* 334 */
+ {        0x1A,               336, 0,  4, "sha-1"                          }, /* 335 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 336 */
+ {  0x24,                     383, 1,  1, "TeleTrusT"                      }, /* 337 */
+ {    0x03,                     0, 1,  2, "algorithm"                      }, /* 338 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 339 */
+ {        0x01,               344, 1,  4, "rsaSignature"                   }, /* 340 */
+ {          0x02,             342, 0,  5, "rsaSigWithripemd160"            }, /* 341 */
+ {          0x03,             343, 0,  5, "rsaSigWithripemd128"            }, /* 342 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 343 */
+ {        0x02,                 0, 1,  4, "ecSign"                         }, /* 344 */
+ {          0x01,             346, 0,  5, "ecSignWithsha1"                 }, /* 345 */
+ {          0x02,             347, 0,  5, "ecSignWithripemd160"            }, /* 346 */
+ {          0x03,             348, 0,  5, "ecSignWithmd2"                  }, /* 347 */
+ {          0x04,             349, 0,  5, "ecSignWithmd5"                  }, /* 348 */
+ {          0x05,             366, 1,  5, "ttt-ecg"                        }, /* 349 */
+ {            0x01,           354, 1,  6, "fieldType"                      }, /* 350 */
+ {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 351 */
+ {                0x01,         0, 1,  8, "basisType"                      }, /* 352 */
+ {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 353 */
+ {            0x02,           356, 1,  6, "keyType"                        }, /* 354 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 355 */
+ {            0x03,           357, 0,  6, "curve"                          }, /* 356 */
+ {            0x04,           364, 1,  6, "signatures"                     }, /* 357 */
+ {              0x01,         359, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 358 */
+ {              0x02,         360, 0,  7, "ecgdsa-with-SHA1"               }, /* 359 */
+ {              0x03,         361, 0,  7, "ecgdsa-with-SHA224"             }, /* 360 */
+ {              0x04,         362, 0,  7, "ecgdsa-with-SHA256"             }, /* 361 */
+ {              0x05,         363, 0,  7, "ecgdsa-with-SHA384"             }, /* 362 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 363 */
+ {            0x05,             0, 1,  6, "module"                         }, /* 364 */
+ {              0x01,           0, 0,  7, "1"                              }, /* 365 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 366 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 367 */
+ {              0x01,           0, 1,  7, "versionOne"                     }, /* 368 */
+ {                0x01,       370, 0,  8, "brainpoolP160r1"                }, /* 369 */
+ {                0x02,       371, 0,  8, "brainpoolP160t1"                }, /* 370 */
+ {                0x03,       372, 0,  8, "brainpoolP192r1"                }, /* 371 */
+ {                0x04,       373, 0,  8, "brainpoolP192t1"                }, /* 372 */
+ {                0x05,       374, 0,  8, "brainpoolP224r1"                }, /* 373 */
+ {                0x06,       375, 0,  8, "brainpoolP224t1"                }, /* 374 */
+ {                0x07,       376, 0,  8, "brainpoolP256r1"                }, /* 375 */
+ {                0x08,       377, 0,  8, "brainpoolP256t1"                }, /* 376 */
+ {                0x09,       378, 0,  8, "brainpoolP320r1"                }, /* 377 */
+ {                0x0A,       379, 0,  8, "brainpoolP320t1"                }, /* 378 */
+ {                0x0B,       380, 0,  8, "brainpoolP384r1"                }, /* 379 */
+ {                0x0C,       381, 0,  8, "brainpoolP384t1"                }, /* 380 */
+ {                0x0D,       382, 0,  8, "brainpoolP512r1"                }, /* 381 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 382 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 383 */
+ {    0x04,                     0, 1,  2, "Certicom"                       }, /* 384 */
+ {      0x00,                   0, 1,  3, "curve"                          }, /* 385 */
+ {        0x01,               387, 0,  4, "sect163k1"                      }, /* 386 */
+ {        0x02,               388, 0,  4, "sect163r1"                      }, /* 387 */
+ {        0x03,               389, 0,  4, "sect239k1"                      }, /* 388 */
+ {        0x04,               390, 0,  4, "sect113r1"                      }, /* 389 */
+ {        0x05,               391, 0,  4, "sect113r2"                      }, /* 390 */
+ {        0x06,               392, 0,  4, "secp112r1"                      }, /* 391 */
+ {        0x07,               393, 0,  4, "secp112r2"                      }, /* 392 */
+ {        0x08,               394, 0,  4, "secp160r1"                      }, /* 393 */
+ {        0x09,               395, 0,  4, "secp160k1"                      }, /* 394 */
+ {        0x0A,               396, 0,  4, "secp256k1"                      }, /* 395 */
+ {        0x0F,               397, 0,  4, "sect163r2"                      }, /* 396 */
+ {        0x10,               398, 0,  4, "sect283k1"                      }, /* 397 */
+ {        0x11,               399, 0,  4, "sect283r1"                      }, /* 398 */
+ {        0x16,               400, 0,  4, "sect131r1"                      }, /* 399 */
+ {        0x17,               401, 0,  4, "sect131r2"                      }, /* 400 */
+ {        0x18,               402, 0,  4, "sect193r1"                      }, /* 401 */
+ {        0x19,               403, 0,  4, "sect193r2"                      }, /* 402 */
+ {        0x1A,               404, 0,  4, "sect233k1"                      }, /* 403 */
+ {        0x1B,               405, 0,  4, "sect233r1"                      }, /* 404 */
+ {        0x1C,               406, 0,  4, "secp128r1"                      }, /* 405 */
+ {        0x1D,               407, 0,  4, "secp128r2"                      }, /* 406 */
+ {        0x1E,               408, 0,  4, "secp160r2"                      }, /* 407 */
+ {        0x1F,               409, 0,  4, "secp192k1"                      }, /* 408 */
+ {        0x20,               410, 0,  4, "secp224k1"                      }, /* 409 */
+ {        0x21,               411, 0,  4, "secp224r1"                      }, /* 410 */
+ {        0x22,               412, 0,  4, "secp384r1"                      }, /* 411 */
+ {        0x23,               413, 0,  4, "secp521r1"                      }, /* 412 */
+ {        0x24,               414, 0,  4, "sect409k1"                      }, /* 413 */
+ {        0x25,               415, 0,  4, "sect409r1"                      }, /* 414 */
+ {        0x26,               416, 0,  4, "sect571k1"                      }, /* 415 */
+ {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 416 */
+ {0x60,                       471, 1,  0, ""                               }, /* 417 */
+ {  0x86,                       0, 1,  1, ""                               }, /* 418 */
+ {    0x48,                     0, 1,  2, ""                               }, /* 419 */
+ {      0x01,                   0, 1,  3, "organization"                   }, /* 420 */
+ {        0x65,               447, 1,  4, "gov"                            }, /* 421 */
+ {          0x03,               0, 1,  5, "csor"                           }, /* 422 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 423 */
+ {              0x01,         434, 1,  7, "aes"                            }, /* 424 */
+ {                0x02,       426, 0,  8, "id-aes128-CBC"                  }, /* 425 */
+ {                0x06,       427, 0,  8, "id-aes128-GCM"                  }, /* 426 */
+ {                0x07,       428, 0,  8, "id-aes128-CCM"                  }, /* 427 */
+ {                0x16,       429, 0,  8, "id-aes192-CBC"                  }, /* 428 */
+ {                0x1A,       430, 0,  8, "id-aes192-GCM"                  }, /* 429 */
+ {                0x1B,       431, 0,  8, "id-aes192-CCM"                  }, /* 430 */
+ {                0x2A,       432, 0,  8, "id-aes256-CBC"                  }, /* 431 */
+ {                0x2E,       433, 0,  8, "id-aes256-GCM"                  }, /* 432 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 433 */
+ {              0x02,           0, 1,  7, "hashalgs"                       }, /* 434 */
+ {                0x01,       436, 0,  8, "id-sha256"                      }, /* 435 */
+ {                0x02,       437, 0,  8, "id-sha384"                      }, /* 436 */
+ {                0x03,       438, 0,  8, "id-sha512"                      }, /* 437 */
+ {                0x04,       439, 0,  8, "id-sha224"                      }, /* 438 */
+ {                0x05,       440, 0,  8, "id-sha512-224"                  }, /* 439 */
+ {                0x06,       441, 0,  8, "id-sha512-256"                  }, /* 440 */
+ {                0x07,       442, 0,  8, "id-sha3-224"                    }, /* 441 */
+ {                0x08,       443, 0,  8, "id-sha3-256"                    }, /* 442 */
+ {                0x09,       444, 0,  8, "id-sha3-384"                    }, /* 443 */
+ {                0x0A,       445, 0,  8, "id-sha3-512"                    }, /* 444 */
+ {                0x0B,       446, 0,  8, "id-shake128"                    }, /* 445 */
+ {                0x0C,         0, 0,  8, "id-shake256"                    }, /* 446 */
+ {        0x86,                 0, 1,  4, ""                               }, /* 447 */
+ {          0xf8,               0, 1,  5, ""                               }, /* 448 */
+ {            0x42,           461, 1,  6, "netscape"                       }, /* 449 */
+ {              0x01,         456, 1,  7, ""                               }, /* 450 */
+ {                0x01,       452, 0,  8, "nsCertType"                     }, /* 451 */
+ {                0x03,       453, 0,  8, "nsRevocationUrl"                }, /* 452 */
+ {                0x04,       454, 0,  8, "nsCaRevocationUrl"              }, /* 453 */
+ {                0x08,       455, 0,  8, "nsCaPolicyUrl"                  }, /* 454 */
+ {                0x0d,         0, 0,  8, "nsComment"                      }, /* 455 */
+ {              0x03,         459, 1,  7, "directory"                      }, /* 456 */
+ {                0x01,         0, 1,  8, ""                               }, /* 457 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 458 */
+ {              0x04,           0, 1,  7, "policy"                         }, /* 459 */
+ {                0x01,         0, 0,  8, "nsSGC"                          }, /* 460 */
+ {            0x45,             0, 1,  6, "verisign"                       }, /* 461 */
+ {              0x01,           0, 1,  7, "pki"                            }, /* 462 */
+ {                0x09,         0, 1,  8, "attributes"                     }, /* 463 */
+ {                  0x02,     465, 0,  9, "messageType"                    }, /* 464 */
+ {                  0x03,     466, 0,  9, "pkiStatus"                      }, /* 465 */
+ {                  0x04,     467, 0,  9, "failInfo"                       }, /* 466 */
+ {                  0x05,     468, 0,  9, "senderNonce"                    }, /* 467 */
+ {                  0x06,     469, 0,  9, "recipientNonce"                 }, /* 468 */
+ {                  0x07,     470, 0,  9, "transID"                        }, /* 469 */
+ {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 470 */
+ {0x67,                         0, 1,  0, ""                               }, /* 471 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 472 */
+ {    0x05,                     0, 1,  2, ""                               }, /* 473 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 474 */
+ {        0x01,               476, 0,  4, "tcg-at-tpmManufacturer"         }, /* 475 */
+ {        0x02,               477, 0,  4, "tcg-at-tpmModel"                }, /* 476 */
+ {        0x03,               478, 0,  4, "tcg-at-tpmVersion"              }, /* 477 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 478 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index b9ed08d2e..1120156e5 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -40,220 +40,221 @@ extern const oid_t oid_names[];
 #define OID_INITIALS						33
 #define OID_UNIQUE_IDENTIFIER				34
 #define OID_DN_QUALIFIER					35
-#define OID_ROLE							36
-#define OID_SUBJECT_KEY_ID					39
-#define OID_KEY_USAGE						40
-#define OID_SUBJECT_ALT_NAME				42
-#define OID_BASIC_CONSTRAINTS				44
-#define OID_CRL_NUMBER						45
-#define OID_CRL_REASON_CODE					46
-#define OID_DELTA_CRL_INDICATOR				49
-#define OID_ISSUING_DIST_POINT				50
-#define OID_NAME_CONSTRAINTS				52
-#define OID_CRL_DISTRIBUTION_POINTS			53
-#define OID_CERTIFICATE_POLICIES			54
-#define OID_ANY_POLICY						55
-#define OID_POLICY_MAPPINGS					56
-#define OID_AUTHORITY_KEY_ID				57
-#define OID_POLICY_CONSTRAINTS				58
-#define OID_EXTENDED_KEY_USAGE				59
-#define OID_FRESHEST_CRL					61
-#define OID_INHIBIT_ANY_POLICY				62
-#define OID_TARGET_INFORMATION				63
-#define OID_NO_REV_AVAIL					64
-#define OID_CAMELLIA128_CBC					75
-#define OID_CAMELLIA192_CBC					76
-#define OID_CAMELLIA256_CBC					77
-#define OID_RSA_ENCRYPTION					90
-#define OID_MD2_WITH_RSA					91
-#define OID_MD5_WITH_RSA					92
-#define OID_SHA1_WITH_RSA					93
-#define OID_RSAES_OAEP						94
-#define OID_SHA256_WITH_RSA					97
-#define OID_SHA384_WITH_RSA					98
-#define OID_SHA512_WITH_RSA					99
-#define OID_SHA224_WITH_RSA					100
-#define OID_PBE_MD5_DES_CBC					102
-#define OID_PBE_SHA1_DES_CBC				103
-#define OID_PBKDF2							104
-#define OID_PBES2							105
-#define OID_PKCS7_DATA						107
-#define OID_PKCS7_SIGNED_DATA				108
-#define OID_PKCS7_ENVELOPED_DATA			109
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		110
-#define OID_PKCS7_DIGESTED_DATA				111
-#define OID_PKCS7_ENCRYPTED_DATA			112
-#define OID_EMAIL_ADDRESS					114
-#define OID_UNSTRUCTURED_NAME				115
-#define OID_PKCS9_CONTENT_TYPE				116
-#define OID_PKCS9_MESSAGE_DIGEST			117
-#define OID_PKCS9_SIGNING_TIME				118
-#define OID_CHALLENGE_PASSWORD				120
-#define OID_UNSTRUCTURED_ADDRESS			121
-#define OID_EXTENSION_REQUEST				122
-#define OID_X509_CERTIFICATE				125
-#define OID_PBE_SHA1_RC4_128				129
-#define OID_PBE_SHA1_RC4_40					130
-#define OID_PBE_SHA1_3DES_CBC				131
-#define OID_PBE_SHA1_3DES_2KEY_CBC			132
-#define OID_PBE_SHA1_RC2_CBC_128			133
-#define OID_PBE_SHA1_RC2_CBC_40				134
-#define OID_P12_KEY_BAG						137
-#define OID_P12_PKCS8_KEY_BAG				138
-#define OID_P12_CERT_BAG					139
-#define OID_P12_CRL_BAG						140
-#define OID_MD2								144
-#define OID_MD5								145
-#define OID_3DES_EDE_CBC					147
-#define OID_EC_PUBLICKEY					151
-#define OID_C2PNB163V1						154
-#define OID_C2PNB163V2						155
-#define OID_C2PNB163V3						156
-#define OID_C2PNB176W1						157
-#define OID_C2PNB191V1						158
-#define OID_C2PNB191V2						159
-#define OID_C2PNB191V3						160
-#define OID_C2PNB191V4						161
-#define OID_C2PNB191V5						162
-#define OID_C2PNB208W1						163
-#define OID_C2PNB239V1						164
-#define OID_C2PNB239V2						165
-#define OID_C2PNB239V3						166
-#define OID_C2PNB239V4						167
-#define OID_C2PNB239V5						168
-#define OID_C2PNB272W1						169
-#define OID_C2PNB304W1						170
-#define OID_C2PNB359V1						171
-#define OID_C2PNB368W1						172
-#define OID_C2PNB431R1						173
-#define OID_PRIME192V1						175
-#define OID_PRIME192V2						176
-#define OID_PRIME192V3						177
-#define OID_PRIME239V1						178
-#define OID_PRIME239V2						179
-#define OID_PRIME239V3						180
-#define OID_PRIME256V1						181
-#define OID_ECDSA_WITH_SHA1					183
-#define OID_ECDSA_WITH_SHA224				185
-#define OID_ECDSA_WITH_SHA256				186
-#define OID_ECDSA_WITH_SHA384				187
-#define OID_ECDSA_WITH_SHA512				188
-#define OID_MS_SMARTCARD_LOGON				202
-#define OID_USER_PRINCIPAL_NAME				203
-#define OID_STRONGSWAN						209
-#define OID_BLISS_PUBLICKEY					214
-#define OID_BLISS_I							216
-#define OID_BLISS_II						217
-#define OID_BLISS_III						218
-#define OID_BLISS_IV						219
-#define OID_BLISS_B_I						220
-#define OID_BLISS_B_II						221
-#define OID_BLISS_B_III						222
-#define OID_BLISS_B_IV						223
-#define OID_BLISS_WITH_SHA2_512				225
-#define OID_BLISS_WITH_SHA2_384				226
-#define OID_BLISS_WITH_SHA2_256				227
-#define OID_BLISS_WITH_SHA3_512				228
-#define OID_BLISS_WITH_SHA3_384				229
-#define OID_BLISS_WITH_SHA3_256				230
-#define OID_TCGID							237
-#define OID_BLOWFISH_CBC					241
-#define OID_AUTHORITY_INFO_ACCESS			285
-#define OID_IP_ADDR_BLOCKS					287
-#define OID_POLICY_QUALIFIER_CPS			289
-#define OID_POLICY_QUALIFIER_UNOTICE		290
-#define OID_SERVER_AUTH						292
-#define OID_CLIENT_AUTH						293
-#define OID_OCSP_SIGNING					300
-#define OID_XMPP_ADDR						306
-#define OID_AUTHENTICATION_INFO				310
-#define OID_ACCESS_IDENTITY					311
-#define OID_CHARGING_IDENTITY				312
-#define OID_GROUP							313
-#define OID_OCSP							316
-#define OID_BASIC							317
-#define OID_NONCE							318
-#define OID_CRL								319
-#define OID_RESPONSE						320
-#define OID_NO_CHECK						321
-#define OID_ARCHIVE_CUTOFF					322
-#define OID_SERVICE_LOCATOR					323
-#define OID_CA_ISSUERS						324
-#define OID_IKE_INTERMEDIATE				329
-#define OID_DES_CBC							333
-#define OID_SHA1							334
-#define OID_SHA1_WITH_RSA_OIW				335
-#define OID_ECGDSA_PUBKEY					354
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		357
-#define OID_ECGDSA_SIG_WITH_SHA1			358
-#define OID_ECGDSA_SIG_WITH_SHA224			359
-#define OID_ECGDSA_SIG_WITH_SHA256			360
-#define OID_ECGDSA_SIG_WITH_SHA384			361
-#define OID_ECGDSA_SIG_WITH_SHA512			362
-#define OID_SECT163K1						385
-#define OID_SECT163R1						386
-#define OID_SECT239K1						387
-#define OID_SECT113R1						388
-#define OID_SECT113R2						389
-#define OID_SECT112R1						390
-#define OID_SECT112R2						391
-#define OID_SECT160R1						392
-#define OID_SECT160K1						393
-#define OID_SECT256K1						394
-#define OID_SECT163R2						395
-#define OID_SECT283K1						396
-#define OID_SECT283R1						397
-#define OID_SECT131R1						398
-#define OID_SECT131R2						399
-#define OID_SECT193R1						400
-#define OID_SECT193R2						401
-#define OID_SECT233K1						402
-#define OID_SECT233R1						403
-#define OID_SECT128R1						404
-#define OID_SECT128R2						405
-#define OID_SECT160R2						406
-#define OID_SECT192K1						407
-#define OID_SECT224K1						408
-#define OID_SECT224R1						409
-#define OID_SECT384R1						410
-#define OID_SECT521R1						411
-#define OID_SECT409K1						412
-#define OID_SECT409R1						413
-#define OID_SECT571K1						414
-#define OID_SECT571R1						415
-#define OID_AES128_CBC						424
-#define OID_AES128_GCM						425
-#define OID_AES128_CCM						426
-#define OID_AES192_CBC						427
-#define OID_AES192_GCM						428
-#define OID_AES192_CCM						429
-#define OID_AES256_CBC						430
-#define OID_AES256_GCM						431
-#define OID_AES256_CCM						432
-#define OID_SHA256							434
-#define OID_SHA384							435
-#define OID_SHA512							436
-#define OID_SHA224							437
-#define OID_SHA3_224						440
-#define OID_SHA3_256						441
-#define OID_SHA3_384						442
-#define OID_SHA3_512						443
-#define OID_NS_REVOCATION_URL				451
-#define OID_NS_CA_REVOCATION_URL			452
-#define OID_NS_CA_POLICY_URL				453
-#define OID_NS_COMMENT						454
-#define OID_EMPLOYEE_NUMBER					457
-#define OID_PKI_MESSAGE_TYPE				463
-#define OID_PKI_STATUS						464
-#define OID_PKI_FAIL_INFO					465
-#define OID_PKI_SENDER_NONCE				466
-#define OID_PKI_RECIPIENT_NONCE				467
-#define OID_PKI_TRANS_ID					468
-#define OID_TPM_MANUFACTURER				474
-#define OID_TPM_MODEL						475
-#define OID_TPM_VERSION						476
-#define OID_TPM_ID_LABEL					477
+#define OID_PSEUDONYM						36
+#define OID_ROLE							37
+#define OID_SUBJECT_KEY_ID					40
+#define OID_KEY_USAGE						41
+#define OID_SUBJECT_ALT_NAME				43
+#define OID_BASIC_CONSTRAINTS				45
+#define OID_CRL_NUMBER						46
+#define OID_CRL_REASON_CODE					47
+#define OID_DELTA_CRL_INDICATOR				50
+#define OID_ISSUING_DIST_POINT				51
+#define OID_NAME_CONSTRAINTS				53
+#define OID_CRL_DISTRIBUTION_POINTS			54
+#define OID_CERTIFICATE_POLICIES			55
+#define OID_ANY_POLICY						56
+#define OID_POLICY_MAPPINGS					57
+#define OID_AUTHORITY_KEY_ID				58
+#define OID_POLICY_CONSTRAINTS				59
+#define OID_EXTENDED_KEY_USAGE				60
+#define OID_FRESHEST_CRL					62
+#define OID_INHIBIT_ANY_POLICY				63
+#define OID_TARGET_INFORMATION				64
+#define OID_NO_REV_AVAIL					65
+#define OID_CAMELLIA128_CBC					76
+#define OID_CAMELLIA192_CBC					77
+#define OID_CAMELLIA256_CBC					78
+#define OID_RSA_ENCRYPTION					91
+#define OID_MD2_WITH_RSA					92
+#define OID_MD5_WITH_RSA					93
+#define OID_SHA1_WITH_RSA					94
+#define OID_RSAES_OAEP						95
+#define OID_SHA256_WITH_RSA					98
+#define OID_SHA384_WITH_RSA					99
+#define OID_SHA512_WITH_RSA					100
+#define OID_SHA224_WITH_RSA					101
+#define OID_PBE_MD5_DES_CBC					103
+#define OID_PBE_SHA1_DES_CBC				104
+#define OID_PBKDF2							105
+#define OID_PBES2							106
+#define OID_PKCS7_DATA						108
+#define OID_PKCS7_SIGNED_DATA				109
+#define OID_PKCS7_ENVELOPED_DATA			110
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		111
+#define OID_PKCS7_DIGESTED_DATA				112
+#define OID_PKCS7_ENCRYPTED_DATA			113
+#define OID_EMAIL_ADDRESS					115
+#define OID_UNSTRUCTURED_NAME				116
+#define OID_PKCS9_CONTENT_TYPE				117
+#define OID_PKCS9_MESSAGE_DIGEST			118
+#define OID_PKCS9_SIGNING_TIME				119
+#define OID_CHALLENGE_PASSWORD				121
+#define OID_UNSTRUCTURED_ADDRESS			122
+#define OID_EXTENSION_REQUEST				123
+#define OID_X509_CERTIFICATE				126
+#define OID_PBE_SHA1_RC4_128				130
+#define OID_PBE_SHA1_RC4_40					131
+#define OID_PBE_SHA1_3DES_CBC				132
+#define OID_PBE_SHA1_3DES_2KEY_CBC			133
+#define OID_PBE_SHA1_RC2_CBC_128			134
+#define OID_PBE_SHA1_RC2_CBC_40				135
+#define OID_P12_KEY_BAG						138
+#define OID_P12_PKCS8_KEY_BAG				139
+#define OID_P12_CERT_BAG					140
+#define OID_P12_CRL_BAG						141
+#define OID_MD2								145
+#define OID_MD5								146
+#define OID_3DES_EDE_CBC					148
+#define OID_EC_PUBLICKEY					152
+#define OID_C2PNB163V1						155
+#define OID_C2PNB163V2						156
+#define OID_C2PNB163V3						157
+#define OID_C2PNB176W1						158
+#define OID_C2PNB191V1						159
+#define OID_C2PNB191V2						160
+#define OID_C2PNB191V3						161
+#define OID_C2PNB191V4						162
+#define OID_C2PNB191V5						163
+#define OID_C2PNB208W1						164
+#define OID_C2PNB239V1						165
+#define OID_C2PNB239V2						166
+#define OID_C2PNB239V3						167
+#define OID_C2PNB239V4						168
+#define OID_C2PNB239V5						169
+#define OID_C2PNB272W1						170
+#define OID_C2PNB304W1						171
+#define OID_C2PNB359V1						172
+#define OID_C2PNB368W1						173
+#define OID_C2PNB431R1						174
+#define OID_PRIME192V1						176
+#define OID_PRIME192V2						177
+#define OID_PRIME192V3						178
+#define OID_PRIME239V1						179
+#define OID_PRIME239V2						180
+#define OID_PRIME239V3						181
+#define OID_PRIME256V1						182
+#define OID_ECDSA_WITH_SHA1					184
+#define OID_ECDSA_WITH_SHA224				186
+#define OID_ECDSA_WITH_SHA256				187
+#define OID_ECDSA_WITH_SHA384				188
+#define OID_ECDSA_WITH_SHA512				189
+#define OID_MS_SMARTCARD_LOGON				203
+#define OID_USER_PRINCIPAL_NAME				204
+#define OID_STRONGSWAN						210
+#define OID_BLISS_PUBLICKEY					215
+#define OID_BLISS_I							217
+#define OID_BLISS_II						218
+#define OID_BLISS_III						219
+#define OID_BLISS_IV						220
+#define OID_BLISS_B_I						221
+#define OID_BLISS_B_II						222
+#define OID_BLISS_B_III						223
+#define OID_BLISS_B_IV						224
+#define OID_BLISS_WITH_SHA2_512				226
+#define OID_BLISS_WITH_SHA2_384				227
+#define OID_BLISS_WITH_SHA2_256				228
+#define OID_BLISS_WITH_SHA3_512				229
+#define OID_BLISS_WITH_SHA3_384				230
+#define OID_BLISS_WITH_SHA3_256				231
+#define OID_TCGID							238
+#define OID_BLOWFISH_CBC					242
+#define OID_AUTHORITY_INFO_ACCESS			286
+#define OID_IP_ADDR_BLOCKS					288
+#define OID_POLICY_QUALIFIER_CPS			290
+#define OID_POLICY_QUALIFIER_UNOTICE		291
+#define OID_SERVER_AUTH						293
+#define OID_CLIENT_AUTH						294
+#define OID_OCSP_SIGNING					301
+#define OID_XMPP_ADDR						307
+#define OID_AUTHENTICATION_INFO				311
+#define OID_ACCESS_IDENTITY					312
+#define OID_CHARGING_IDENTITY				313
+#define OID_GROUP							314
+#define OID_OCSP							317
+#define OID_BASIC							318
+#define OID_NONCE							319
+#define OID_CRL								320
+#define OID_RESPONSE						321
+#define OID_NO_CHECK						322
+#define OID_ARCHIVE_CUTOFF					323
+#define OID_SERVICE_LOCATOR					324
+#define OID_CA_ISSUERS						325
+#define OID_IKE_INTERMEDIATE				330
+#define OID_DES_CBC							334
+#define OID_SHA1							335
+#define OID_SHA1_WITH_RSA_OIW				336
+#define OID_ECGDSA_PUBKEY					355
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		358
+#define OID_ECGDSA_SIG_WITH_SHA1			359
+#define OID_ECGDSA_SIG_WITH_SHA224			360
+#define OID_ECGDSA_SIG_WITH_SHA256			361
+#define OID_ECGDSA_SIG_WITH_SHA384			362
+#define OID_ECGDSA_SIG_WITH_SHA512			363
+#define OID_SECT163K1						386
+#define OID_SECT163R1						387
+#define OID_SECT239K1						388
+#define OID_SECT113R1						389
+#define OID_SECT113R2						390
+#define OID_SECT112R1						391
+#define OID_SECT112R2						392
+#define OID_SECT160R1						393
+#define OID_SECT160K1						394
+#define OID_SECT256K1						395
+#define OID_SECT163R2						396
+#define OID_SECT283K1						397
+#define OID_SECT283R1						398
+#define OID_SECT131R1						399
+#define OID_SECT131R2						400
+#define OID_SECT193R1						401
+#define OID_SECT193R2						402
+#define OID_SECT233K1						403
+#define OID_SECT233R1						404
+#define OID_SECT128R1						405
+#define OID_SECT128R2						406
+#define OID_SECT160R2						407
+#define OID_SECT192K1						408
+#define OID_SECT224K1						409
+#define OID_SECT224R1						410
+#define OID_SECT384R1						411
+#define OID_SECT521R1						412
+#define OID_SECT409K1						413
+#define OID_SECT409R1						414
+#define OID_SECT571K1						415
+#define OID_SECT571R1						416
+#define OID_AES128_CBC						425
+#define OID_AES128_GCM						426
+#define OID_AES128_CCM						427
+#define OID_AES192_CBC						428
+#define OID_AES192_GCM						429
+#define OID_AES192_CCM						430
+#define OID_AES256_CBC						431
+#define OID_AES256_GCM						432
+#define OID_AES256_CCM						433
+#define OID_SHA256							435
+#define OID_SHA384							436
+#define OID_SHA512							437
+#define OID_SHA224							438
+#define OID_SHA3_224						441
+#define OID_SHA3_256						442
+#define OID_SHA3_384						443
+#define OID_SHA3_512						444
+#define OID_NS_REVOCATION_URL				452
+#define OID_NS_CA_REVOCATION_URL			453
+#define OID_NS_CA_POLICY_URL				454
+#define OID_NS_COMMENT						455
+#define OID_EMPLOYEE_NUMBER					458
+#define OID_PKI_MESSAGE_TYPE				464
+#define OID_PKI_STATUS						465
+#define OID_PKI_FAIL_INFO					466
+#define OID_PKI_SENDER_NONCE				467
+#define OID_PKI_RECIPIENT_NONCE				468
+#define OID_PKI_TRANS_ID					469
+#define OID_TPM_MANUFACTURER				475
+#define OID_TPM_MODEL						476
+#define OID_TPM_VERSION						477
+#define OID_TPM_ID_LABEL					478
 
-#define OID_MAX								478
+#define OID_MAX								479
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 64dedcb33..b5ec15f3c 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -34,6 +34,7 @@
     0x2B                     "I"						OID_INITIALS
     0x2D                     "ID"						OID_UNIQUE_IDENTIFIER
     0x2E                     "dnQualifier"				OID_DN_QUALIFIER
+    0x41                     "pseudonym"				OID_PSEUDONYM
     0x48                     "role"						OID_ROLE
   0x1D                       "id-ce"
     0x09                     "subjectDirectoryAttrs"
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
index 61c696bc1..a45a68aaf 100644
--- a/src/libstrongswan/collections/array.c
+++ b/src/libstrongswan/collections/array.c
@@ -277,6 +277,16 @@ void array_insert_create(array_t **array, int idx, void *ptr)
 	array_insert(*array, idx, ptr);
 }
 
+void array_insert_create_value(array_t **array, u_int esize,
+							   int idx, void *val)
+{
+	if (*array == NULL)
+	{
+		*array = array_create(esize, 0);
+	}
+	array_insert(*array, idx, val);
+}
+
 void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator)
 {
 	void *ptr;
diff --git a/src/libstrongswan/collections/array.h b/src/libstrongswan/collections/array.h
index 0659c70bd..c3be1a15d 100644
--- a/src/libstrongswan/collections/array.h
+++ b/src/libstrongswan/collections/array.h
@@ -139,6 +139,21 @@ void array_insert(array_t *array, int idx, void *data);
 void array_insert_create(array_t **array, int idx, void *ptr);
 
 /**
+ * Create a value based array if it does not exist, insert value.
+ *
+ * This is a convenience function to insert a value and implicitly
+ * create a value based array if array is NULL. Array is set the the newly
+ * created array, if any.
+ *
+ * @param array			pointer to array reference, potentially NULL
+ * @param esize			element size of this array
+ * @param idx			index to insert item at
+ * @param val			pointer to value to insert
+ */
+void array_insert_create_value(array_t **array, u_int esize,
+							   int idx, void *val);
+
+/**
  * Insert all items from an enumerator to an array.
  *
  * @param array			array to add items to
diff --git a/src/libstrongswan/collections/linked_list.c b/src/libstrongswan/collections/linked_list.c
index a176e5a54..b8fe81578 100644
--- a/src/libstrongswan/collections/linked_list.c
+++ b/src/libstrongswan/collections/linked_list.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -433,6 +433,56 @@ METHOD(linked_list_t, clone_offset, linked_list_t*,
 	return clone;
 }
 
+METHOD(linked_list_t, equals_offset, bool,
+	private_linked_list_t *this, linked_list_t *other_pub, size_t offset)
+{
+	private_linked_list_t *other = (private_linked_list_t*)other_pub;
+	element_t *cur_t, *cur_o;
+
+	if (this->count != other->count)
+	{
+		return FALSE;
+	}
+	cur_t = this->first;
+	cur_o = other->first;
+	while (cur_t && cur_o)
+	{
+		bool (**method)(void*,void*) = cur_t->value + offset;
+		if (!(*method)(cur_t->value, cur_o->value))
+		{
+			return FALSE;
+		}
+		cur_t = cur_t->next;
+		cur_o = cur_o->next;
+	}
+	return TRUE;
+}
+
+METHOD(linked_list_t, equals_function, bool,
+	private_linked_list_t *this, linked_list_t *other_pub,
+	bool (*fn)(void*,void*))
+{
+	private_linked_list_t *other = (private_linked_list_t*)other_pub;
+	element_t *cur_t, *cur_o;
+
+	if (this->count != other->count)
+	{
+		return FALSE;
+	}
+	cur_t = this->first;
+	cur_o = other->first;
+	while (cur_t && cur_o)
+	{
+		if (!fn(cur_t->value, cur_o->value))
+		{
+			return FALSE;
+		}
+		cur_t = cur_t->next;
+		cur_o = cur_o->next;
+	}
+	return TRUE;
+}
+
 METHOD(linked_list_t, destroy, void,
 	private_linked_list_t *this)
 {
@@ -503,6 +553,8 @@ linked_list_t *linked_list_create()
 			.invoke_offset = (void*)_invoke_offset,
 			.invoke_function = (void*)_invoke_function,
 			.clone_offset = _clone_offset,
+			.equals_offset = _equals_offset,
+			.equals_function = _equals_function,
 			.destroy = _destroy,
 			.destroy_offset = _destroy_offset,
 			.destroy_function = _destroy_function,
diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h
index abc33c12a..5edaa07aa 100644
--- a/src/libstrongswan/collections/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -218,6 +218,27 @@ struct linked_list_t {
 	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
 
 	/**
+	 * Compare two lists and their objects for equality using the given equals
+	 * method.
+	 *
+	 * @param other		list to compare
+	 * @param offset	offset of the objects equals method
+	 * @return			TRUE if lists and objects are equal, FALSE otherwise
+	 */
+	bool (*equals_offset) (linked_list_t *this, linked_list_t *other,
+						   size_t offset);
+
+	/**
+	 * Compare two lists and their objects for equality using the given function.
+	 *
+	 * @param other		list to compare
+	 * @param function	function to compare the objects
+	 * @return			TRUE if lists and objects are equal, FALSE otherwise
+	 */
+	bool (*equals_function) (linked_list_t *this, linked_list_t *other,
+							 bool (*)(void*,void*));
+
+	/**
 	 * Destroys a linked_list object.
 	 */
 	void (*destroy) (linked_list_t *this);
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 9988d8021..956ce08c9 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -46,11 +46,13 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
 	"RULE_SUBJECT_CERT",
 	"RULE_CRL_VALIDATION",
 	"RULE_OCSP_VALIDATION",
+	"RULE_CERT_VALIDATION_SUSPENDED",
 	"RULE_GROUP",
 	"RULE_RSA_STRENGTH",
 	"RULE_ECDSA_STRENGTH",
 	"RULE_BLISS_STRENGTH",
 	"RULE_SIGNATURE_SCHEME",
+	"RULE_IKE_SIGNATURE_SCHEME",
 	"RULE_CERT_POLICY",
 	"HELPER_IM_CERT",
 	"HELPER_SUBJECT_CERT",
@@ -79,6 +81,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_XAUTH_IDENTITY:
 		case AUTH_RULE_XAUTH_BACKEND:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		case AUTH_RULE_MAX:
@@ -91,6 +94,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_CERT_POLICY:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_REVOCATION_CERT:
@@ -211,6 +215,8 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 			/* integer type */
 			this->value = (void*)(uintptr_t)va_arg(args, u_int);
 			break;
@@ -260,6 +266,8 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 		{
 			return e1->value == e2->value;
 		}
@@ -351,6 +359,8 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 		case AUTH_RULE_MAX:
 			break;
 	}
@@ -383,6 +393,8 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_BLISS_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+			case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				/* integer type */
 				entry->value = (void*)(uintptr_t)va_arg(args, u_int);
 				break;
@@ -459,11 +471,13 @@ METHOD(auth_cfg_t, get, void*,
 		case AUTH_RULE_BLISS_STRENGTH:
 			return (void*)0;
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 			return (void*)HASH_UNKNOWN;
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
 			return (void*)VALIDATION_FAILED;
 		case AUTH_RULE_IDENTITY_LOOSE:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 			return (void*)FALSE;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
@@ -510,6 +524,183 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 	}
 }
 
+METHOD(auth_cfg_t, add_pubkey_constraints, void,
+	private_auth_cfg_t *this, char* constraints, bool ike)
+{
+	enumerator_t *enumerator;
+	bool is_ike = FALSE, ike_added = FALSE;
+	key_type_t expected_type = -1;
+	auth_rule_t expected_strength = AUTH_RULE_MAX;
+	int strength;
+	char *token;
+	auth_rule_t type;
+	void *value;
+
+	enumerator = enumerator_create_token(constraints, "-", "");
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		bool found = FALSE;
+		int i;
+		struct {
+			char *name;
+			signature_scheme_t scheme;
+			key_type_t key;
+		} schemes[] = {
+			{ "md5",		SIGN_RSA_EMSA_PKCS1_MD5,		KEY_RSA,	},
+			{ "sha1",		SIGN_RSA_EMSA_PKCS1_SHA1,		KEY_RSA,	},
+			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA224,		KEY_RSA,	},
+			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA256,		KEY_RSA,	},
+			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA384,		KEY_RSA,	},
+			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA512,		KEY_RSA,	},
+			{ "sha1",		SIGN_ECDSA_WITH_SHA1_DER,		KEY_ECDSA,	},
+			{ "sha256",		SIGN_ECDSA_WITH_SHA256_DER,		KEY_ECDSA,	},
+			{ "sha384",		SIGN_ECDSA_WITH_SHA384_DER,		KEY_ECDSA,	},
+			{ "sha512",		SIGN_ECDSA_WITH_SHA512_DER,		KEY_ECDSA,	},
+			{ "sha256",		SIGN_ECDSA_256,					KEY_ECDSA,	},
+			{ "sha384",		SIGN_ECDSA_384,					KEY_ECDSA,	},
+			{ "sha512",		SIGN_ECDSA_521,					KEY_ECDSA,	},
+			{ "sha256",		SIGN_BLISS_WITH_SHA2_256,		KEY_BLISS,	},
+			{ "sha384",		SIGN_BLISS_WITH_SHA2_384,		KEY_BLISS,	},
+			{ "sha512",		SIGN_BLISS_WITH_SHA2_512,		KEY_BLISS,	},
+		};
+
+		if (expected_strength != AUTH_RULE_MAX)
+		{	/* expecting a key strength token */
+			strength = atoi(token);
+			if (strength)
+			{
+				add(this, expected_strength, (uintptr_t)strength);
+			}
+			expected_strength = AUTH_RULE_MAX;
+			if (strength)
+			{
+				continue;
+			}
+		}
+		if (streq(token, "rsa") || streq(token, "ike:rsa"))
+		{
+			expected_type = KEY_RSA;
+			expected_strength = AUTH_RULE_RSA_STRENGTH;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (streq(token, "ecdsa") || streq(token, "ike:ecdsa"))
+		{
+			expected_type = KEY_ECDSA;
+			expected_strength = AUTH_RULE_ECDSA_STRENGTH;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (streq(token, "bliss") || streq(token, "ike:bliss"))
+		{
+			expected_type = KEY_BLISS;
+			expected_strength = AUTH_RULE_BLISS_STRENGTH;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (streq(token, "pubkey") || streq(token, "ike:pubkey"))
+		{
+			expected_type = KEY_ANY;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (is_ike && !ike)
+		{
+			continue;
+		}
+
+		for (i = 0; i < countof(schemes); i++)
+		{
+			if (streq(schemes[i].name, token))
+			{
+				if (expected_type == KEY_ANY || expected_type == schemes[i].key)
+				{
+					if (is_ike)
+					{
+						add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+							(uintptr_t)schemes[i].scheme);
+						ike_added = TRUE;
+					}
+					else
+					{
+						add(this, AUTH_RULE_SIGNATURE_SCHEME,
+						   (uintptr_t)schemes[i].scheme);
+					}
+				}
+				found = TRUE;
+			}
+		}
+		if (!found)
+		{
+			DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* if no explicit IKE signature contraints were added we add them for all
+	 * configured signature contraints */
+	if (ike && !ike_added &&
+		lib->settings->get_bool(lib->settings,
+							"%s.signature_authentication_constraints", TRUE,
+							lib->ns))
+	{
+		enumerator = create_enumerator(this);
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			if (type == AUTH_RULE_SIGNATURE_SCHEME)
+			{
+				add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+					(uintptr_t)value);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Check if signature schemes of a specific type are compliant
+ */
+static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints,
+							auth_rule_t type, bool log_error)
+{
+	enumerator_t *e1, *e2;
+	auth_rule_t t1, t2;
+	signature_scheme_t scheme;
+	void *value;
+	bool success = TRUE;
+
+	e2 = create_enumerator(this);
+	while (e2->enumerate(e2, &t2, &scheme))
+	{
+		if (t2 == type)
+		{
+			success = FALSE;
+			e1 = constraints->create_enumerator(constraints);
+			while (e1->enumerate(e1, &t1, &value))
+			{
+				if (t1 == type && (uintptr_t)value == scheme)
+				{
+					success = TRUE;
+					break;
+				}
+			}
+			e1->destroy(e1);
+			if (!success)
+			{
+				if (log_error)
+				{
+					DBG1(DBG_CFG, "%s signature scheme %N not acceptable",
+						 AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE",
+						 signature_scheme_names, (int)scheme);
+				}
+				break;
+			}
+		}
+	}
+	e2->destroy(e2);
+	return success;
+}
+
 METHOD(auth_cfg_t, complies, bool,
 	private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
 {
@@ -518,7 +709,7 @@ METHOD(auth_cfg_t, complies, bool,
 	bool ca_match = FALSE, cert_match = FALSE;
 	identification_t *require_group = NULL;
 	certificate_t *require_ca = NULL, *require_cert = NULL;
-	signature_scheme_t scheme = SIGN_UNKNOWN;
+	signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN;
 	u_int strength = 0;
 	auth_rule_t t1, t2;
 	char *key_type;
@@ -573,6 +764,11 @@ METHOD(auth_cfg_t, complies, bool,
 			{
 				uintptr_t validated;
 
+				if (get(this, AUTH_RULE_CERT_VALIDATION_SUSPENDED))
+				{	/* skip validation, may happen later */
+					break;
+				}
+
 				e2 = create_enumerator(this);
 				while (e2->enumerate(e2, &t2, &validated))
 				{
@@ -714,6 +910,11 @@ METHOD(auth_cfg_t, complies, bool,
 				strength = (uintptr_t)value;
 				break;
 			}
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+			{
+				ike_scheme = (uintptr_t)value;
+				break;
+			}
 			case AUTH_RULE_SIGNATURE_SCHEME:
 			{
 				scheme = (uintptr_t)value;
@@ -745,6 +946,8 @@ METHOD(auth_cfg_t, complies, bool,
 				/* just an indication when verifying AUTH_RULE_IDENTITY */
 			case AUTH_RULE_XAUTH_BACKEND:
 				/* not enforced, just a hint for local authentication */
+			case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
+				/* not a constraint */
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_IM_HASH_URL:
@@ -766,35 +969,13 @@ METHOD(auth_cfg_t, complies, bool,
 	 * signature schemes. */
 	if (success && scheme != SIGN_UNKNOWN)
 	{
-		e2 = create_enumerator(this);
-		while (e2->enumerate(e2, &t2, &scheme))
-		{
-			if (t2 == AUTH_RULE_SIGNATURE_SCHEME)
-			{
-				success = FALSE;
-				e1 = constraints->create_enumerator(constraints);
-				while (e1->enumerate(e1, &t1, &value))
-				{
-					if (t1 == AUTH_RULE_SIGNATURE_SCHEME &&
-						(uintptr_t)value == scheme)
-					{
-						success = TRUE;
-						break;
-					}
-				}
-				e1->destroy(e1);
-				if (!success)
-				{
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "signature scheme %N not acceptable",
-							 signature_scheme_names, (int)scheme);
-					}
-					break;
-				}
-			}
-		}
-		e2->destroy(e2);
+		success = complies_scheme(this, constraints,
+								  AUTH_RULE_SIGNATURE_SCHEME, log_error);
+	}
+	if (success && ike_scheme != SIGN_UNKNOWN)
+	{
+		success = complies_scheme(this, constraints,
+								  AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error);
 	}
 
 	/* Check if we have a matching constraint (or none at all) for used
@@ -918,6 +1099,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_ECDSA_STRENGTH:
 				case AUTH_RULE_BLISS_STRENGTH:
 				case AUTH_RULE_SIGNATURE_SCHEME:
+				case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+				case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				{
 					add(this, type, (uintptr_t)value);
 					break;
@@ -1088,6 +1271,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_BLISS_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+			case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				clone->add(clone, type, (uintptr_t)value);
 				break;
 			case AUTH_RULE_MAX:
@@ -1116,6 +1301,7 @@ auth_cfg_t *auth_cfg_create()
 	INIT(this,
 		.public = {
 			.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add,
+			.add_pubkey_constraints = _add_pubkey_constraints,
 			.get = _get,
 			.create_enumerator = _create_enumerator,
 			.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace,
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 53f1b3805..6940069de 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -94,6 +94,8 @@ enum auth_rule_t {
 	AUTH_RULE_CRL_VALIDATION,
 	/** result of a OCSP validation, cert_validation_t */
 	AUTH_RULE_OCSP_VALIDATION,
+	/** CRL/OCSP validation is disabled, bool */
+	AUTH_RULE_CERT_VALIDATION_SUSPENDED,
 	/** subject is member of a group, identification_t*
 	 * The group membership constraint is fulfilled if the subject is member of
 	 * one group defined in the constraints. */
@@ -106,6 +108,8 @@ enum auth_rule_t {
 	AUTH_RULE_BLISS_STRENGTH,
 	/** required signature scheme, signature_scheme_t */
 	AUTH_RULE_SIGNATURE_SCHEME,
+	/** required signature scheme for IKE authentication, signature_scheme_t */
+	AUTH_RULE_IKE_SIGNATURE_SCHEME,
 	/** certificatePolicy constraint, numerical OID as char* */
 	AUTH_RULE_CERT_POLICY,
 
@@ -182,6 +186,15 @@ struct auth_cfg_t {
 	void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
 
 	/**
+	 * Add public key and signature scheme constraints to the set.
+	 *
+	 * @param constraints	constraints string (e.g. "rsa-sha384")
+	 * @param ike			whether to add/parse constraints for IKE signatures
+	 */
+	void (*add_pubkey_constraints)(auth_cfg_t *this, char *constraints,
+								   bool ike);
+
+	/**
 	 * Get a rule value.
 	 *
 	 * For rules we expect only once the latest value is returned.
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index b281c1669..761082986 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -22,10 +23,10 @@ ENUM(certificate_type_names, CERT_ANY, CERT_GPG,
 	"ANY",
 	"X509",
 	"X509_CRL",
-	"X509_OCSP_REQUEST",
-	"X509_OCSP_RESPONSE",
+	"OCSP_REQUEST",
+	"OCSP_RESPONSE",
 	"X509_AC",
-	"TRUSTED_PUBKEY",
+	"PUBKEY",
 	"PKCS10_REQUEST",
 	"PGP",
 );
diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.c b/src/libstrongswan/credentials/certificates/certificate_printer.c
new file mode 100644
index 000000000..c618e80bf
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/certificate_printer.c
@@ -0,0 +1,753 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "certificate_printer.h"
+#include "credentials/certificates/x509.h"
+#include "credentials/certificates/crl.h"
+#include "credentials/certificates/ac.h"
+#include "credentials/certificates/ocsp_response.h"
+#include "credentials/certificates/pgp_certificate.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <selectors/traffic_selector.h>
+
+#include <time.h>
+
+typedef struct private_certificate_printer_t private_certificate_printer_t;
+
+/**
+ * Private data of an certificate_printer_t object.
+ */
+struct private_certificate_printer_t {
+
+	/**
+	 * Public certificate_printer_t interface.
+	 */
+	certificate_printer_t public;
+
+	/**
+	 * File to print to
+	 */
+	FILE *f;
+
+	/**
+	 * Print detailed certificate information
+	 */
+	bool detailed;
+
+	/**
+	 * Print time information in UTC
+	 */
+	bool utc;
+
+	/**
+	 * Previous certificate type
+	 */
+	certificate_type_t type;
+
+	/**
+	 * Previous X.509 certificate flag
+	 */
+	x509_flag_t flag;
+
+};
+
+/**
+ * Print X509 specific certificate information
+ */
+static void print_x509(private_certificate_printer_t *this, x509_t *x509)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	traffic_selector_t *block;
+	chunk_t chunk;
+	bool first;
+	char *uri;
+	int len, explicit, inhibit;
+	x509_flag_t flags;
+	x509_cdp_t *cdp;
+	x509_cert_policy_t *policy;
+	x509_policy_mapping_t *mapping;
+	FILE *f = this->f;
+
+	chunk = chunk_skip_zero(x509->get_serial(x509));
+	fprintf(f, "  serial:    %#B\n", &chunk);
+
+	first = TRUE;
+	enumerator = x509->create_subjectAltName_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &id))
+	{
+		if (first)
+		{
+			fprintf(f, "  altNames:  ");
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(f, ", ");
+		}
+		fprintf(f, "%Y", id);
+	}
+	if (!first)
+	{
+		fprintf(f, "\n");
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->detailed)
+	{
+		flags = x509->get_flags(x509);
+		if (flags != X509_NONE)
+		{
+			fprintf(f, "  flags:     ");
+			if (flags & X509_CA)
+			{
+				fprintf(f, "CA ");
+			}
+			if (flags & X509_CRL_SIGN)
+			{
+				fprintf(f, "CRLSign ");
+			}
+			if (flags & X509_OCSP_SIGNER)
+			{
+				fprintf(f, "ocspSigning ");
+			}
+			if (flags & X509_SERVER_AUTH)
+			{
+				fprintf(f, "serverAuth ");
+			}
+			if (flags & X509_CLIENT_AUTH)
+			{
+				fprintf(f, "clientAuth ");
+			}
+			if (flags & X509_IKE_INTERMEDIATE)
+			{
+				fprintf(f, "ikeIntermediate ");
+			}
+			if (flags & X509_MS_SMARTCARD_LOGON)
+			{
+				fprintf(f, "msSmartcardLogon");
+			}
+			if (flags & X509_SELF_SIGNED)
+			{
+				fprintf(f, "self-signed ");
+			}
+			fprintf(f, "\n");
+		}
+
+		first = TRUE;
+		enumerator = x509->create_crl_uri_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &cdp))
+		{
+			if (first)
+			{
+				fprintf(f, "  CRL URIs:  %s", cdp->uri);
+				first = FALSE;
+			}
+			else
+			{
+				fprintf(f, "           %s", cdp->uri);
+			}
+			if (cdp->issuer)
+			{
+				fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
+			}
+			fprintf(f, "\n");
+		}
+		enumerator->destroy(enumerator);
+
+		first = TRUE;
+		enumerator = x509->create_ocsp_uri_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			if (first)
+			{
+				fprintf(f, "  OCSP URIs: %s\n", uri);
+				first = FALSE;
+			}
+			else
+			{
+				fprintf(f, "           %s\n", uri);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		len = x509->get_constraint(x509, X509_PATH_LEN);
+		if (len != X509_NO_CONSTRAINT)
+		{
+			fprintf(f, "  pathlen:   %d\n", len);
+		}
+
+		first = TRUE;
+		enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			if (first)
+			{
+				fprintf(f, "  permitted nameConstraints:\n");
+				first = FALSE;
+			}
+			fprintf(f, "           %Y\n", id);
+		}
+		enumerator->destroy(enumerator);
+
+		first = TRUE;
+		enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			if (first)
+			{
+				fprintf(f, "  excluded nameConstraints:\n");
+				first = FALSE;
+			}
+			fprintf(f, "           %Y\n", id);
+		}
+		enumerator->destroy(enumerator);
+
+		first = TRUE;
+		enumerator = x509->create_cert_policy_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &policy))
+		{
+			char *oid;
+
+			if (first)
+			{
+				fprintf(f, "  certificatePolicies:\n");
+				first = FALSE;
+			}
+			oid = asn1_oid_to_string(policy->oid);
+			if (oid)
+			{
+				fprintf(f, "             %s\n", oid);
+				free(oid);
+			}
+			else
+			{
+				fprintf(f, "             %#B\n", &policy->oid);
+			}
+			if (policy->cps_uri)
+			{
+				fprintf(f, "             CPS: %s\n", policy->cps_uri);
+			}
+			if (policy->unotice_text)
+			{
+				fprintf(f, "             Notice: %s\n", policy->unotice_text);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		first = TRUE;
+		enumerator = x509->create_policy_mapping_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &mapping))
+		{
+			char *issuer_oid, *subject_oid;
+
+			if (first)
+			{
+				fprintf(f, "  policyMappings:\n");
+				first = FALSE;
+			}
+			issuer_oid = asn1_oid_to_string(mapping->issuer);
+			subject_oid = asn1_oid_to_string(mapping->subject);
+			fprintf(f, "           %s => %s\n", issuer_oid, subject_oid);
+			free(issuer_oid);
+			free(subject_oid);
+		}
+		enumerator->destroy(enumerator);
+
+		explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+		inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+		len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+
+		if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
+			len != X509_NO_CONSTRAINT)
+		{
+			fprintf(f, "  policyConstraints:\n");
+			if (explicit != X509_NO_CONSTRAINT)
+			{
+				fprintf(f, "           requireExplicitPolicy: %d\n", explicit);
+			}
+			if (inhibit != X509_NO_CONSTRAINT)
+			{
+				fprintf(f, "           inhibitPolicyMapping: %d\n", inhibit);
+			}
+			if (len != X509_NO_CONSTRAINT)
+			{
+				fprintf(f, "           inhibitAnyPolicy: %d\n", len);
+			}
+		}
+
+		if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+		{
+			first = TRUE;
+			fprintf(f, "  addresses: ");
+			enumerator = x509->create_ipAddrBlock_enumerator(x509);
+			while (enumerator->enumerate(enumerator, &block))
+			{
+				if (first)
+				{
+					first = FALSE;
+				}
+				else
+				{
+					fprintf(f, ", ");
+				}
+				fprintf(f, "%R", block);
+			}
+			enumerator->destroy(enumerator);
+			fprintf(f, "\n");
+		}
+	}
+
+	chunk = x509->get_authKeyIdentifier(x509);
+	if (chunk.ptr)
+	{
+		fprintf(f, "  authkeyId: %#B\n", &chunk);
+	}
+
+	chunk = x509->get_subjectKeyIdentifier(x509);
+	if (chunk.ptr)
+	{
+		fprintf(f, "  subjkeyId: %#B\n", &chunk);
+	}
+}
+
+/**
+ * Print CRL specific information
+ */
+static void print_crl(private_certificate_printer_t *this, crl_t *crl)
+{
+	enumerator_t *enumerator;
+	time_t ts;
+	crl_reason_t reason;
+	chunk_t chunk;
+	int count = 0;
+	bool first;
+	x509_cdp_t *cdp;
+	FILE *f = this->f;
+
+	chunk = chunk_skip_zero(crl->get_serial(crl));
+	fprintf(f, "  serial:    %#B\n", &chunk);
+
+	if (crl->is_delta_crl(crl, &chunk))
+	{
+		chunk = chunk_skip_zero(chunk);
+		fprintf(f, "  delta CRL: for serial %#B\n", &chunk);
+	}
+	chunk = crl->get_authKeyIdentifier(crl);
+	fprintf(f, "  authKeyId: %#B\n", &chunk);
+
+	first = TRUE;
+	enumerator = crl->create_delta_crl_uri_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &cdp))
+	{
+		if (first)
+		{
+			fprintf(f, "  freshest:  %s", cdp->uri);
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(f, "             %s", cdp->uri);
+		}
+		if (cdp->issuer)
+		{
+			fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
+		}
+		fprintf(f, "\n");
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+
+	fprintf(f, "  %d revoked certificate%s%s\n", count, (count == 1) ? "" : "s",
+				(count && this->detailed) ? ":" : "");
+
+	if (this->detailed)
+	{
+		enumerator = crl->create_enumerator(crl);
+		while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+		{
+			chunk = chunk_skip_zero(chunk);
+			fprintf(f, "    %#B: %T, %N\n", &chunk, &ts, this->utc,
+											crl_reason_names, reason);
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Print AC specific information
+ */
+static void print_ac(private_certificate_printer_t *this, ac_t *ac)
+{
+	ac_group_type_t type;
+	identification_t *id;
+	enumerator_t *groups;
+	chunk_t chunk;
+	bool first = TRUE;
+	FILE *f = this->f;
+
+	chunk = chunk_skip_zero(ac->get_serial(ac));
+	fprintf(f, "  serial:    %#B\n", &chunk);
+
+	id = ac->get_holderIssuer(ac);
+	if (id)
+	{
+		fprintf(f, "  hissuer:  \"%Y\"\n", id);
+	}
+	chunk = chunk_skip_zero(ac->get_holderSerial(ac));
+	if (chunk.ptr)
+	{
+		fprintf(f, "  hserial:   %#B\n", &chunk);
+	}
+	groups = ac->create_group_enumerator(ac);
+	while (groups->enumerate(groups, &type, &chunk))
+	{
+		int oid;
+		char *str;
+
+		if (first)
+		{
+			fprintf(f, "  groups:    ");
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(f, "             ");
+		}
+		switch (type)
+		{
+			case AC_GROUP_TYPE_STRING:
+				fprintf(f, "%.*s", (int)chunk.len, chunk.ptr);
+				break;
+			case AC_GROUP_TYPE_OID:
+				oid = asn1_known_oid(chunk);
+				if (oid == OID_UNKNOWN)
+				{
+					str = asn1_oid_to_string(chunk);
+					if (str)
+					{
+						fprintf(f, "%s", str);
+						free(str);
+					}
+					else
+					{
+						fprintf(f, "OID:%#B", &chunk);
+					}
+				}
+				else
+				{
+					fprintf(f, "%s", oid_names[oid].name);
+				}
+				break;
+			case AC_GROUP_TYPE_OCTETS:
+				fprintf(f, "%#B", &chunk);
+				break;
+		}
+		fprintf(f, "\n");
+	}
+	groups->destroy(groups);
+
+	chunk = ac->get_authKeyIdentifier(ac);
+	if (chunk.ptr)
+	{
+		fprintf(f, "  authkey:  %#B\n", &chunk);
+	}
+}
+
+/**
+ * Print OCSP response specific information
+ */
+static void print_ocsp_response(private_certificate_printer_t *this,
+								ocsp_response_t *ocsp_response)
+{
+	enumerator_t *enumerator;
+	chunk_t serialNumber;
+	cert_validation_t status;
+	char *status_text;
+	time_t revocationTime;
+	crl_reason_t *revocationReason;
+	bool first = TRUE;
+	FILE *f = this->f;
+
+	if (this->detailed)
+	{
+		fprintf(f, "  responses: ");
+
+		enumerator = ocsp_response->create_response_enumerator(ocsp_response);
+		while (enumerator->enumerate(enumerator, &serialNumber, &status,
+									 &revocationTime, &revocationReason))
+		{
+			if (first)
+			{
+				first = FALSE;
+			}
+			else
+			{
+				fprintf(f, "             ");
+			}
+			serialNumber = chunk_skip_zero(serialNumber);
+
+			switch (status)
+			{
+				case VALIDATION_GOOD:
+					status_text = "good";
+					break;
+				case VALIDATION_REVOKED:
+					status_text = "revoked";
+					break;
+				default:
+					status_text = "unknown";
+			}
+			fprintf(f, "%#B: %s", &serialNumber, status_text);
+
+			if (status == VALIDATION_REVOKED)
+			{
+				fprintf(f, " on %T, %N", &revocationTime, this->utc,
+							 crl_reason_names, revocationReason);
+			}
+			fprintf(f, "\n");
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Print public key information
+ */
+static void print_pubkey(private_certificate_printer_t *this, public_key_t *key,
+						 bool has_privkey)
+{
+	chunk_t chunk;
+	FILE *f = this->f;
+
+	fprintf(f, "  pubkey:    %N %d bits", key_type_names, key->get_type(key),
+				key->get_keysize(key));
+	if (has_privkey)
+	{
+		fprintf(f, ", has private key");
+	}
+	fprintf(f, "\n");
+	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
+	{
+		fprintf(f, "  keyid:     %#B\n", &chunk);
+	}
+	if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
+	{
+		fprintf(f, "  subjkey:   %#B\n", &chunk);
+	}
+}
+
+METHOD(certificate_printer_t, print, void,
+	private_certificate_printer_t *this, certificate_t *cert, bool has_privkey)
+{
+	time_t now, notAfter, notBefore;
+	certificate_type_t type;
+	identification_t *subject;
+	char *t0, *t1, *t2;
+	public_key_t *key;
+	FILE *f = this->f;
+
+	now = time(NULL);
+	type = cert->get_type(cert);
+	subject = cert->get_subject(cert);
+
+	if ((type != CERT_X509_CRL && type != CERT_X509_OCSP_RESPONSE &&
+		 type != CERT_TRUSTED_PUBKEY) ||
+	    (type == CERT_TRUSTED_PUBKEY && subject->get_type(subject) != ID_KEY_ID))
+	{
+		fprintf(f, "  subject:  \"%Y\"\n", subject);
+	}
+	if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG)
+	{
+		fprintf(f, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
+	}
+
+	/* list validity if set */
+	cert->get_validity(cert, &now, &notBefore, &notAfter);
+	if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
+	{
+		if (type == CERT_GPG)
+		{
+			fprintf(f, "  created:   %T\n", &notBefore, this->utc);
+			fprintf(f, "  until:     %T%s\n", &notAfter, this->utc,
+				(notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : "");
+		}
+		else
+		{
+			 if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
+			{
+				t0 = "update:  ";
+				t1 = "this on";
+				t2 = "next on";
+			}
+			else
+			{
+				t0 = "validity:";
+				t1 = "not before";
+				t2 = "not after ";
+			}
+			fprintf(f, "  %s  %s %T, ", t0, t1, &notBefore, this->utc);
+			if (now < notBefore)
+			{
+				fprintf(f, "not valid yet (valid in %V)\n", &now, &notBefore);
+			}
+			else
+			{
+				fprintf(f, "ok\n");
+			}
+			fprintf(f, "             %s %T, ", t2, &notAfter, this->utc);
+			if (now > notAfter)
+			{
+				fprintf(f, "expired (%V ago)\n", &now, &notAfter);
+			}
+			else
+			{
+				fprintf(f, "ok (expires in %V)\n", &now, &notAfter);
+			}
+		}
+	}
+
+	switch (cert->get_type(cert))
+	{
+		case CERT_X509:
+			print_x509(this, (x509_t*)cert);
+			break;
+		case CERT_X509_CRL:
+			print_crl(this, (crl_t*)cert);
+			break;
+		case CERT_X509_AC:
+			print_ac(this, (ac_t*)cert);
+			break;
+		case CERT_X509_OCSP_RESPONSE:
+			print_ocsp_response(this, (ocsp_response_t*)cert);
+			break;
+		case CERT_TRUSTED_PUBKEY:
+		default:
+			break;
+	}
+	if (type == CERT_GPG)
+	{
+		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
+		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+		fprintf(f, "  pgpDigest: %#B\n", &fingerprint);
+	}
+	key = cert->get_public_key(cert);
+	if (key)
+	{
+		print_pubkey(this, key, has_privkey);
+		key->destroy(key);
+	}
+}
+
+METHOD(certificate_printer_t, print_caption, void,
+	private_certificate_printer_t *this, certificate_type_t type,
+	x509_flag_t flag)
+{
+	char *caption;
+
+	if (type != this->type || (type == CERT_X509 && flag != this->flag))
+	{
+		switch (type)
+		{
+			case CERT_X509:
+				switch (flag)
+				{
+					case X509_NONE:
+						caption = "X.509 End Entity Certificate";
+						break;
+					case X509_CA:
+						caption = "X.509 CA Certificate";
+						break;
+					case X509_AA:
+						caption = "X.509 AA Certificate";
+						break;
+					case X509_OCSP_SIGNER:
+						caption = "X.509 OCSP Signer Certificate";
+						break;
+					default:
+						return;
+				}
+				break;
+			case CERT_X509_AC:
+				caption = "X.509 Attribute Certificate";
+				break;
+			case CERT_X509_CRL:
+				caption = "X.509 CRL";
+				break;
+			case CERT_X509_OCSP_RESPONSE:
+				caption = "OCSP Response";
+				break;
+			case CERT_TRUSTED_PUBKEY:
+				caption = "Raw Public Key";
+				break;
+			case CERT_GPG:
+				caption = "PGP End Entity Certificate";
+				break;
+			default:
+				return;
+		}
+		fprintf(this->f, "\nList of %ss\n", caption);
+
+		/* Update to current type and flag value */
+		this->type = type;
+		if (type == CERT_X509)
+		{
+			this->flag = flag;
+		}
+	}
+	fprintf(this->f, "\n");
+}
+
+METHOD(certificate_printer_t, destroy, void,
+	private_certificate_printer_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
+												  bool utc)
+{
+	private_certificate_printer_t *this;
+
+	INIT(this,
+		.public = {
+			.print = _print,
+			.print_caption = _print_caption,
+			.destroy = _destroy,
+		},
+		.f = f,
+		.detailed = detailed,
+		.utc = utc,
+		.type = CERT_ANY,
+		.flag = X509_ANY,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.h b/src/libstrongswan/credentials/certificates/certificate_printer.h
new file mode 100644
index 000000000..7953eb060
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/certificate_printer.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup certificate_printer certificate_printer
+ * @{ @ingroup certificates
+ */
+
+#ifndef CERTIFICATE_PRINTER_H_
+#define CERTIFICATE_PRINTER_H_
+
+typedef struct certificate_printer_t certificate_printer_t;
+
+#include "credentials/certificates/certificate.h"
+#include "credentials/certificates/x509.h"
+
+#include <stdio.h>
+
+/**
+ * An object for printing certificate information.
+ */
+struct certificate_printer_t {
+
+	/**
+	 * Print a certificate.
+	 *
+	 * @param cert			certificate to be printed
+	 * @param has_privkey	indicates that certificate has a matching private key
+	 */
+	void (*print)(certificate_printer_t *this, certificate_t *cert,
+				  bool has_privkey);
+
+	/**
+	 * Print a caption if the certificate type changed.
+	 *
+	 * @param type		certificate type
+	 * @param flag		X.509 certificate flag
+	 */
+	void (*print_caption)(certificate_printer_t *this, certificate_type_t type,
+						  x509_flag_t flag);
+
+	/**
+	 * Destroy the certificate_printer object.
+	 */
+	void (*destroy)(certificate_printer_t *this);
+};
+
+/**
+ * Create a certificate_printer object
+ *
+ * @param f				file where print output is directed to (usually stdout)
+ * @param detailed		print more detailed certificate information
+ * @param utc			print time inforamtion in UTC
+ */
+certificate_printer_t* certificate_printer_create(FILE *f, bool detailed,
+												  bool utc);
+
+#endif /** CERTIFICATE_PRINTER_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h
index 9c5637b9f..c6a4c1277 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_response.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@@ -77,6 +77,13 @@ struct ocsp_response_t {
 	 * @return					enumerator over certificate_t*
 	 */
 	enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
+
+	/**
+	 * Create an enumerator over the contained responses.
+	 *
+	 * @return					enumerator over major response fields
+	 */
+	enumerator_t* (*create_response_enumerator)(ocsp_response_t *this);
 };
 
 #endif /** OCSP_RESPONSE_H_ @}*/
diff --git a/src/libhydra/tests/hydra_tests.h b/src/libstrongswan/credentials/certificates/x509.c
index 6b213d026..5eefa0bb4 100644
--- a/src/libhydra/tests/hydra_tests.h
+++ b/src/libstrongswan/credentials/certificates/x509.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2014 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -12,3 +12,16 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
+
+#include "x509.h"
+
+ENUM_BEGIN(x509_flag_names, X509_NONE, X509_AA,
+	"NONE",
+	"CA",
+	"AA");
+ENUM_NEXT(x509_flag_names, X509_OCSP_SIGNER, X509_OCSP_SIGNER, X509_AA,
+	"OCSP");
+ENUM_NEXT(x509_flag_names, X509_ANY, X509_ANY, X509_OCSP_SIGNER,
+	"ANY");
+ENUM_END(x509_flag_names, X509_ANY);
+
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 6cbfcdeed..601c034ef 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -46,6 +46,8 @@ enum x509_flag_t {
 	X509_AA =                 (1<<1),
 	/** cert has OCSP signer constraint */
 	X509_OCSP_SIGNER =        (1<<2),
+    /** cert has either CA, AA or OCSP constraint */
+	X509_ANY = X509_CA | X509_AA | X509_OCSP_SIGNER,
 	/** cert has serverAuth key usage */
 	X509_SERVER_AUTH =        (1<<3),
 	/** cert has clientAuth key usage */
@@ -62,6 +64,8 @@ enum x509_flag_t {
 	X509_MS_SMARTCARD_LOGON = (1<<9),
 };
 
+extern enum_name_t *x509_flag_names;
+
 /**
  * Different numerical X.509 constraints.
  */
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 371e6404d..95c5cd777 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -917,6 +918,8 @@ METHOD(enumerator_t, trusted_destroy, void,
 	DESTROY_IF(this->auth);
 	DESTROY_IF(this->candidates);
 	this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy));
+	/* check for delayed certificate cache queue */
+	cache_queue(this->this);
 	free(this);
 }
 
@@ -985,7 +988,6 @@ METHOD(enumerator_t, public_destroy, void,
 		this->wrapper->destroy(this->wrapper);
 	}
 	this->this->lock->unlock(this->this->lock);
-
 	/* check for delayed certificate cache queue */
 	cache_queue(this->this);
 	free(this);
@@ -993,7 +995,7 @@ METHOD(enumerator_t, public_destroy, void,
 
 METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
 	private_credential_manager_t *this, key_type_t type, identification_t *id,
-	auth_cfg_t *auth)
+	auth_cfg_t *auth, bool online)
 {
 	public_enumerator_t *enumerator;
 
@@ -1002,7 +1004,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
 			.enumerate = (void*)_public_enumerate,
 			.destroy = _public_destroy,
 		},
-		.inner = create_trusted_enumerator(this, type, id, TRUE),
+		.inner = create_trusted_enumerator(this, type, id, online),
 		.this = this,
 	);
 	if (auth)
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 445ea3f9c..022ca566c 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -202,14 +203,18 @@ struct credential_manager_t {
 	 * where the auth config helper contains rules for constraint checks.
 	 * This function is very similar to create_trusted_enumerator(), but
 	 * gets public keys directly.
+	 * If online is set, revocations are checked online for the whole
+	 * trustchain.
 	 *
 	 * @param type		type of the key to get
 	 * @param id		owner of the key, signer of the signature
 	 * @param auth		authentication infos
+	 * @param online	whether revocations should be checked online
 	 * @return			enumerator
 	 */
 	enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
-					key_type_t type, identification_t *id, auth_cfg_t *auth);
+					key_type_t type, identification_t *id, auth_cfg_t *auth,
+					bool online);
 
 	/**
 	 * Cache a certificate by invoking cache_cert() on all registered sets.
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index dc73ccc68..e130b93ee 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2016 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -61,6 +61,31 @@ struct private_library_t {
 	refcount_t ref;
 };
 
+#define MAX_NAMESPACES 5
+
+/**
+ * Additional namespaces registered using __atrribute__((constructor))
+ */
+static char *namespaces[MAX_NAMESPACES];
+static int ns_count;
+
+/**
+ * Described in header
+ */
+void library_add_namespace(char *ns)
+{
+	if (ns_count < MAX_NAMESPACES - 1)
+	{
+		namespaces[ns_count] = ns;
+		ns_count++;
+	}
+	else
+	{
+		fprintf(stderr, "failed to register additional namespace alias, please "
+				"increase MAX_NAMESPACES");
+	}
+}
+
 /**
  * library instance
  */
@@ -248,6 +273,7 @@ bool library_init(char *settings, const char *namespace)
 {
 	private_library_t *this;
 	printf_hook_t *pfh;
+	int i;
 
 	if (lib)
 	{	/* already initialized, increase refcount */
@@ -311,6 +337,11 @@ bool library_init(char *settings, const char *namespace)
 									 (hashtable_equals_t)equals, 4);
 
 	this->public.settings = settings_create(this->public.conf);
+	/* add registered aliases */
+	for (i = 0; i < ns_count; ++i)
+	{
+		lib->settings->add_fallback(lib->settings, lib->ns, namespaces[i]);
+	}
 	/* all namespace settings may fall back to libstrongswan */
 	lib->settings->add_fallback(lib->settings, lib->ns, "libstrongswan");
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 3a6dd1ba4..08316fd13 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2014 Tobias Brunner
+ * Copyright (C) 2010-2016 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -276,4 +276,14 @@ void library_deinit();
  */
 extern library_t *lib;
 
+/**
+ * Add additional names used as alias for the namespace registered with
+ * library_init().
+ *
+ * To be called from __attribute__((constructor)) functions.
+ *
+ * @param ns			additional namespace
+ */
+void library_add_namespace(char *ns);
+
 #endif /** LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
index 65542ea5d..034ab48e0 100644
--- a/src/libstrongswan/plugins/acert/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9d79c81ee..6ad68a55a 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in
index 34adaa390..7f91e439c 100644
--- a/src/libstrongswan/plugins/aesni/Makefile.in
+++ b/src/libstrongswan/plugins/aesni/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 4a86f9640..7aaea450c 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 292c2fd90..cbdc8e84e 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in
index 1361dd340..8f91cdcbe 100644
--- a/src/libstrongswan/plugins/bliss/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/Makefile.in
@@ -433,6 +433,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in
index 5a1ce3d50..43e508ba0 100644
--- a/src/libstrongswan/plugins/bliss/tests/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index f19616552..a6c3287f4 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index ca7cadbe4..3d56b9802 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in
index 98e1f4d9e..b3506587d 100644
--- a/src/libstrongswan/plugins/chapoly/Makefile.in
+++ b/src/libstrongswan/plugins/chapoly/Makefile.in
@@ -428,6 +428,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c
index 54e934e6a..dfed4d53d 100644
--- a/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c
+++ b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c
@@ -58,27 +58,6 @@ struct private_chapoly_drv_portable_t {
 };
 
 /**
- * Convert unaligned little endian to host byte order
- */
-static inline u_int32_t uletoh32(void *p)
-{
-	u_int32_t ret;
-
-	memcpy(&ret, p, sizeof(ret));
-	ret = le32toh(ret);
-	return ret;
-}
-
-/**
- * Convert host byte order to unaligned little endian
- */
-static inline void htoule32(void *p, u_int32_t v)
-{
-	v = htole32(v);
-	memcpy(p, &v, sizeof(v));
-}
-
-/**
  * XOR a 32-bit integer into an unaligned destination
  */
 static inline void xor32u(void *p, u_int32_t x)
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 9e249399b..2ffaa0662 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 2e623ad3b..f263f7764 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 7b7231b85..9558f878e 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index d525eac02..8fc366cca 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 96b2f6055..6a09d63c9 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 910289906..55ebb3419 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in
index 31dc4a3ac..6c2e792f5 100644
--- a/src/libstrongswan/plugins/files/Makefile.in
+++ b/src/libstrongswan/plugins/files/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index b7ca1ce97..252035ca8 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index e125ab884..f9c4a6950 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 4ce7438fc..774c447f6 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 04f1f43ef..7ecba8fa9 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -98,14 +98,14 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(HASHER, HASH_SHA512),
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, gcrypt_dh_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 			PLUGIN_PROVIDE(DH, MODP_6144_BIT),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
 			PLUGIN_PROVIDE(DH, MODP_768_BIT),
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 788cb931e..9a2d30192 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index d93aa14a1..ea75896a1 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -45,14 +45,6 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		/* DH groups */
 		PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
@@ -61,6 +53,14 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index a8c39cbab..46fac4a8c 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 8f6a6f54d..eb0bdf387 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 5316323a4..0a03fd819 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index d5f9c6c81..4dbdbe020 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 1dd3892cd..6fc25b023 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index e2fb7e720..17409dbc3 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 0b51ba5d8..68be3f44a 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
index 5636692ab..97a70679d 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.in
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index a667ca47e..302016937 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index e48efe3e9..aeb9be409 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -365,28 +365,41 @@ METHOD(plugin_t, get_features, int,
 #ifndef OPENSSL_NO_AES
 		/* AES GCM */
 		PLUGIN_REGISTER(AEAD, openssl_gcm_create),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  32),
 #endif /* OPENSSL_NO_AES */
 #endif /* OPENSSL_VERSION_NUMBER */
+#ifndef OPENSSL_NO_ECDH
+		/* EC DH groups */
+		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
+			PLUGIN_PROVIDE(DH, ECP_256_BIT),
+			PLUGIN_PROVIDE(DH, ECP_384_BIT),
+			PLUGIN_PROVIDE(DH, ECP_521_BIT),
+			PLUGIN_PROVIDE(DH, ECP_224_BIT),
+			PLUGIN_PROVIDE(DH, ECP_192_BIT),
+			PLUGIN_PROVIDE(DH, ECP_256_BP),
+			PLUGIN_PROVIDE(DH, ECP_384_BP),
+			PLUGIN_PROVIDE(DH, ECP_512_BP),
+			PLUGIN_PROVIDE(DH, ECP_224_BP),
+#endif
 #ifndef OPENSSL_NO_DH
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 			PLUGIN_PROVIDE(DH, MODP_6144_BIT),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
 			PLUGIN_PROVIDE(DH, MODP_768_BIT),
@@ -446,19 +459,6 @@ METHOD(plugin_t, get_features, int,
 #endif /* OPENSSL_VERSION_NUMBER */
 		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
 			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
-#ifndef OPENSSL_NO_ECDH
-		/* EC DH groups */
-		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, ECP_256_BIT),
-			PLUGIN_PROVIDE(DH, ECP_384_BIT),
-			PLUGIN_PROVIDE(DH, ECP_521_BIT),
-			PLUGIN_PROVIDE(DH, ECP_224_BIT),
-			PLUGIN_PROVIDE(DH, ECP_192_BIT),
-			PLUGIN_PROVIDE(DH, ECP_224_BP),
-			PLUGIN_PROVIDE(DH, ECP_256_BP),
-			PLUGIN_PROVIDE(DH, ECP_384_BP),
-			PLUGIN_PROVIDE(DH, ECP_512_BP),
-#endif
 #ifndef OPENSSL_NO_ECDSA
 		/* EC private/public key loading */
 		PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE),
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 44603afb1..2d6006bca 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 4c982fdf5..16dfbed3a 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 4d4215bfe..a55877952 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 2a708364a..a265818b0 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index de033a3fb..f4bded41a 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index 3fa0a3890..7fd31583b 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index 3266e5d5f..5fc439b99 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 2130c9c93..162868af5 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index a9f3dd14c..007bdbd00 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index b7ba5ad43..0631a6857 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -196,6 +196,13 @@ METHOD(certificate_t, destroy, void,
 	}
 }
 
+METHOD(pubkey_cert_t, set_subject, void,
+	private_pubkey_cert_t *this, identification_t *subject)
+{
+	DESTROY_IF(this->subject);
+	this->subject = subject->clone(subject);
+}
+
 /*
  * see header file
  */
@@ -222,6 +229,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
+			.set_subject = _set_subject,
 		},
 		.ref = 1,
 		.key = key,
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.h b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
index a2d735342..06e4e0fa3 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
@@ -35,6 +35,13 @@ struct pubkey_cert_t {
 	 * Implements certificate_t.
 	 */
 	certificate_t interface;
+
+	/**
+	 * Set the subject of the trusted public key.
+	 *
+	 * @param subject	subject to be set
+	 */
+	void (*set_subject)(pubkey_cert_t *this, identification_t *subject);
 };
 
 /**
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 11a13463b..f6dc73e09 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index b81acef55..b9fc8bdf6 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 028464bf3..f6bdf9c59 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 342c544d9..4c7f2723b 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 18771e4f9..1de07d754 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 6aaa06b20..d4af8fbcf 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in
index 3034ea537..9aa58e236 100644
--- a/src/libstrongswan/plugins/sha3/Makefile.in
+++ b/src/libstrongswan/plugins/sha3/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 02290b4a2..acb05d570 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 3e234f1ca..ca59bb7df 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index a8d5a1020..feb9313ff 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 100f3b15a..431b60724 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -432,6 +432,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index c84717bdc..59590d1a9 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in
index f8db1ffac..acfc57bb6 100644
--- a/src/libstrongswan/plugins/winhttp/Makefile.in
+++ b/src/libstrongswan/plugins/winhttp/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index b31bfbed1..c58dfe210 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 96280a033..2b83f3328 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2143,8 +2143,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 		msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
 	}
 
-	if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
-		ocspSigning.ptr)
+	if (serverAuth.ptr  || clientAuth.ptr || ikeIntermediate.ptr ||
+		ocspSigning.ptr || msSmartcardLogon.ptr)
 	{
 		extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 60133fc7f..b46af30fe 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -1,7 +1,8 @@
 /**
  * Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2007-2014 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2007-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -228,6 +229,42 @@ METHOD(ocsp_response_t, create_cert_enumerator, enumerator_t*,
 }
 
 /**
+ * enumerator filter callback for create_response_enumerator
+ */
+static bool filter(void *data, single_response_t **response,
+				   chunk_t *serialNumber,
+				   void *p2, cert_validation_t *status,
+				   void *p3, time_t *revocationTime,
+				   void *p4, crl_reason_t *revocationReason)
+{
+	if (serialNumber)
+	{
+		*serialNumber = (*response)->serialNumber;
+	}
+	if (status)
+	{
+		*status = (*response)->status;
+	}
+	if (revocationTime)
+	{
+		*revocationTime = (*response)->revocationTime;
+	}
+	if (revocationReason)
+	{
+		*revocationReason = (*response)->revocationReason;
+	}
+	return TRUE;
+}
+
+METHOD(ocsp_response_t, create_response_enumerator, enumerator_t*,
+	private_x509_ocsp_response_t *this)
+{
+	return enumerator_create_filter(
+				this->responses->create_enumerator(this->responses),
+				(void*)filter, NULL, NULL);
+}
+
+/**
  * ASN.1 definition of singleResponse
  */
 static const asn1Object_t singleResponseObjects[] = {
@@ -828,6 +865,7 @@ static x509_ocsp_response_t *load(chunk_t blob)
 				},
 				.get_status = _get_status,
 				.create_cert_enumerator = _create_cert_enumerator,
+				.create_response_enumerator = _create_response_enumerator,
 			},
 		},
 		.ref = 1,
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 6c9901e6c..6f69fb100 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
index 5b94208bf..b7628501a 100644
--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
@@ -345,6 +345,13 @@ static job_requeue_t watch(private_watcher_t *this)
 		old = thread_cancelability(TRUE);
 
 		res = poll(pfd, count, -1);
+		if (res == -1 && errno == EINTR)
+		{
+			/* LinuxThreads interrupts poll(), but does not make it a
+			 * cancellation point. Manually test if we got cancelled. */
+			thread_cancellation_point();
+		}
+
 		thread_cancelability(old);
 		thread_cleanup_pop(FALSE);
 
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index d86584ad1..b2d456035 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -44,6 +44,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_certpolicy.c \
   suites/test_certnames.c \
   suites/test_host.c \
+  suites/test_auth_cfg.c \
   suites/test_hasher.c \
   suites/test_crypter.c \
   suites/test_crypto_factory.c \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 13fd4cc25..0a0f5893d 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -140,6 +140,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
 	suites/tests-test_certpolicy.$(OBJEXT) \
 	suites/tests-test_certnames.$(OBJEXT) \
 	suites/tests-test_host.$(OBJEXT) \
+	suites/tests-test_auth_cfg.$(OBJEXT) \
 	suites/tests-test_hasher.$(OBJEXT) \
 	suites/tests-test_crypter.$(OBJEXT) \
 	suites/tests-test_crypto_factory.$(OBJEXT) \
@@ -452,6 +453,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -505,6 +508,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_certpolicy.c \
   suites/test_certnames.c \
   suites/test_host.c \
+  suites/test_auth_cfg.c \
   suites/test_hasher.c \
   suites/test_crypter.c \
   suites/test_crypto_factory.c \
@@ -648,6 +652,8 @@ suites/tests-test_certnames.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_auth_cfg.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \
@@ -690,6 +696,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_array.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_auth_cfg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certnames.Po@am__quote@
@@ -1119,6 +1126,20 @@ suites/tests-test_host.obj: suites/test_host.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi`
 
+suites/tests-test_auth_cfg.o: suites/test_auth_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.o -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c
+
+suites/tests-test_auth_cfg.obj: suites/test_auth_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi`
+
 suites/tests-test_hasher.o: suites/test_hasher.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po
diff --git a/src/libstrongswan/tests/suites/test_array.c b/src/libstrongswan/tests/suites/test_array.c
index ba2aff460..eda72e10a 100644
--- a/src/libstrongswan/tests/suites/test_array.c
+++ b/src/libstrongswan/tests/suites/test_array.c
@@ -491,6 +491,44 @@ START_TEST(test_invoke_offset)
 }
 END_TEST
 
+START_TEST(test_insert_create)
+{
+	array_t *array = NULL;
+	uintptr_t x;
+
+	array_insert_create(&array, ARRAY_TAIL, (void*)(uintptr_t)1);
+	array_insert_create(&array, ARRAY_TAIL, (void*)(uintptr_t)2);
+	ck_assert(array != NULL);
+
+	ck_assert(array_get(array, ARRAY_HEAD, &x));
+	ck_assert_int_eq(x, 1);
+	ck_assert(array_get(array, ARRAY_TAIL, &x));
+	ck_assert_int_eq(x, 2);
+
+	array_destroy(array);
+}
+END_TEST
+
+START_TEST(test_insert_create_value)
+{
+	array_t *array = NULL;
+	u_int16_t v;
+
+	v = 1;
+	array_insert_create_value(&array, sizeof(v), ARRAY_TAIL, &v);
+	v = 2;
+	array_insert_create_value(&array, sizeof(v), ARRAY_TAIL, &v);
+	ck_assert(array != NULL);
+
+	ck_assert(array_get(array, ARRAY_HEAD, &v));
+	ck_assert_int_eq(v, 1);
+	ck_assert(array_get(array, ARRAY_TAIL, &v));
+	ck_assert_int_eq(v, 2);
+
+	array_destroy(array);
+}
+END_TEST
+
 Suite *array_suite_create()
 {
 	Suite *s;
@@ -528,5 +566,10 @@ Suite *array_suite_create()
 	tcase_add_test(tc, test_invoke_offset);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("insert create");
+	tcase_add_test(tc, test_insert_create);
+	tcase_add_test(tc, test_insert_create_value);
+	suite_add_tcase(s, tc);
+
 	return s;
 }
diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c
new file mode 100644
index 000000000..e046725b8
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_auth_cfg.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <credentials/auth_cfg.h>
+
+struct {
+	char *constraints;
+	signature_scheme_t sig[5];
+	signature_scheme_t ike[5];
+} sig_constraints_tests[] = {
+	{ "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
+	{ "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA512, 0 }, {0}},
+	{ "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}},
+	{ "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+	{ "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+	{ "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+	{ "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }},
+	{ "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
+	{ "rsa4096-sha256", {0}, {0}},
+	{ "sha256", {0}, {0}},
+	{ "ike:sha256", {0}, {0}},
+};
+
+static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
+								  signature_scheme_t expected[])
+{
+	enumerator_t *enumerator;
+	auth_rule_t t;
+	void *value;
+	int i = 0;
+
+	enumerator = cfg->create_enumerator(cfg);
+	while (enumerator->enumerate(enumerator, &t, &value))
+	{
+		if (t == type)
+		{
+			ck_assert(expected[i]);
+			ck_assert_int_eq(expected[i], (signature_scheme_t)value);
+			i++;
+		}
+	}
+	enumerator->destroy(enumerator);
+	ck_assert(!expected[i]);
+}
+
+START_TEST(test_sig_contraints)
+{
+	auth_cfg_t *cfg;
+	signature_scheme_t none[] = {0};
+
+	cfg = auth_cfg_create();
+	cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE);
+	check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+	check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, none);
+	cfg->destroy(cfg);
+
+	lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
+							FALSE, lib->ns);
+
+	cfg = auth_cfg_create();
+	cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
+	check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+	check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
+	cfg->destroy(cfg);
+}
+END_TEST
+
+START_TEST(test_ike_contraints_fallback)
+{
+	auth_cfg_t *cfg;
+
+	lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
+							TRUE, lib->ns);
+
+	cfg = auth_cfg_create();
+	cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
+	check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+	if (sig_constraints_tests[_i].ike[0])
+	{
+		check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
+	}
+	else
+	{
+		check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+	}
+	cfg->destroy(cfg);
+}
+END_TEST
+
+Suite *auth_cfg_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("auth_cfg");
+
+	tc = tcase_create("add_pubkey_constraints");
+	tcase_add_loop_test(tc, test_sig_contraints, 0, countof(sig_constraints_tests));
+	tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
index 9554d2919..c0a21fe34 100644
--- a/src/libstrongswan/tests/suites/test_identification.c
+++ b/src/libstrongswan/tests/suites/test_identification.c
@@ -1,7 +1,8 @@
 /*
  * Copyright (C) 2013-2015 Tobias Brunner
+ * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -122,67 +123,122 @@ static struct {
 		} data;
 	} result;
 } string_data[] = {
-	{NULL,						ID_ANY,			{ .type = ENC_CHUNK }},
-	{"",						ID_ANY,			{ .type = ENC_CHUNK }},
-	{"%any",					ID_ANY,			{ .type = ENC_CHUNK }},
-	{"%any6",					ID_ANY,			{ .type = ENC_CHUNK }},
-	{"0.0.0.0",					ID_ANY,			{ .type = ENC_CHUNK }},
-	{"0::0",					ID_ANY,			{ .type = ENC_CHUNK }},
-	{"::",						ID_ANY,			{ .type = ENC_CHUNK }},
-	{"*",						ID_ANY,			{ .type = ENC_CHUNK }},
-	{"any",						ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"any6",					ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"0",						ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"**",						ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"192.168.1.1",				ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{NULL,						ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"",						ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"%any",					ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"%any6",					ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"0.0.0.0",					ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"0::0",					ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"::",						ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"*",						ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"any",						ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"any6",					ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"0",						ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"**",						ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"192.168.1.1",				ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{"192.168.",				ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{".",						ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"fec0::1",					ID_IPV6_ADDR,	{ .type = ENC_CHUNK,
+	{"192.168.",				ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{".",						ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"192.168.1.1/33",			ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"192.168.1.1/32",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01,0xff,0xff,0xff,0xff)  }},
+	{"192.168.1.1/31",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0xfe)  }},
+	{"192.168.1.8/30",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x08,0xff,0xff,0xff,0xfc)  }},
+	{"192.168.1.128/25",		ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x80,0xff,0xff,0xff,0x80)  }},
+	{"192.168.1.0/24",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0x00)  }},
+	{"192.168.1.0/23",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x00,0x00,0xff,0xff,0xfe,0x00)  }},
+	{"192.168.4.0/22",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x04,0x00,0xff,0xff,0xfc,0x00)  }},
+	{"0.0.0.0/0",				ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)  }},
+	{"192.168.1.0-192.168.1.40",ID_IPV4_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xc0,0xa8,0x01,0x28)  }},
+	{"0.0.0.0-255.255.255.255",	ID_IPV4_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff)  }},
+	{"192.168.1.40-192.168.1.0",ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"fec0::1",					ID_IPV6_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
-								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
-	{"fec0::",					ID_IPV6_ADDR,	{ .type = ENC_CHUNK,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01)  }},
+	{"fec0::",					ID_IPV6_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
-								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
-	{"fec0:",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{":",						ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"alice@strongswan.org",	ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
-	{"alice@strongswan",		ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
-	{"alice@",					ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
-	{"alice",					ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"@",						ID_FQDN,		{ .type = ENC_CHUNK }},
-	{" @",						ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
-	{"@strongswan.org",			ID_FQDN,		{ .type = ENC_STRING,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)  }},
+	{"fec0:",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{":",						ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"fec0::1/129",				ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"fec0::1/128",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff ) }},
+	{"fec0::1/127",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe ) }},
+	{"fec0::4/126",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc ) }},
+	{"fec0::100/120",			ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00 ) }},
+	{"::/0",					ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ) }},
+	{"fec0::1-fec0::4fff",		ID_IPV6_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
+								   0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff ) }},
+	{"fec0::4fff-fec0::1",		ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"fec0::1-",				ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"alice@strongswan.org",	ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice@strongswan",		ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice@",					ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice",					ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"@",						ID_FQDN,				{ .type = ENC_CHUNK }},
+	{" @",						ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"@strongswan.org",			ID_FQDN,				{ .type = ENC_STRING,
 		.data.s = "strongswan.org" }},
-	{"@#deadbeef",				ID_KEY_ID,		{ .type = ENC_CHUNK,
+	{"@#deadbeef",				ID_KEY_ID,				{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }},
-	{"@#deadbee",				ID_KEY_ID,		{ .type = ENC_CHUNK,
+	{"@#deadbee",				ID_KEY_ID,				{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }},
-	{"foo=bar",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"foo=",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"=bar",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"C=",						ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"foo=bar",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"foo=",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"=bar",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"C=",						ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x00) }},
-	{"C=CH",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH,",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH,",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH, ",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH, ",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH, O",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"IPv4:#c0a80101",			ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{"C=CH, O",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"IPv4:#c0a80101",			ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{ "email:tester",			ID_RFC822_ADDR,	{ .type = ENC_STRING,
+	{ "email:tester",			ID_RFC822_ADDR,			{ .type = ENC_STRING,
 		.data.s = "tester" }},
-	{ "{1}:#c0a80101",			ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{ "{1}:#c0a80101",			ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{ "{0x02}:tester",			ID_FQDN,		{ .type = ENC_STRING,
+	{ "{0x02}:tester",			ID_FQDN,				{ .type = ENC_STRING,
 		.data.s = "tester" }},
-	{ "{99}:somedata",			99,				{ .type = ENC_STRING,
+	{ "{99}:somedata",			99,						{ .type = ENC_STRING,
 		.data.s = "somedata" }},
 };
 
@@ -264,14 +320,33 @@ START_TEST(test_printf_hook)
 
 	string_equals("192.168.1.1", "192.168.1.1");
 	string_equals_id("(invalid ID_IPV4_ADDR)",
-				identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
+			identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
+	string_equals("192.168.1.1/32", "192.168.1.1/32");
+	string_equals("192.168.1.2/31", "192.168.1.2/31");
+	string_equals("192.168.1.0/24", "192.168.1.0/24");
+	string_equals("192.168.2.0/23", "192.168.2.0/23");
+	string_equals("0.0.0.0/0", "0.0.0.0/0");
+	string_equals_id("(invalid ID_IPV4_ADDR_SUBNET)",
+			identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty));
+	string_equals("192.168.1.1-192.168.1.254", "192.168.1.1-192.168.1.254");
+	string_equals("0.0.0.0-255.255.255.255", "0.0.0.0-255.255.255.255");
+	string_equals_id("(invalid ID_IPV4_ADDR_RANGE)",
+			identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty));
 	string_equals("fec0::1", "fec0::1");
 	string_equals("fec0::1", "fec0:0:0::1");
 	string_equals_id("(invalid ID_IPV6_ADDR)",
-				identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
-
+			identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
+	string_equals("fec0::1/128", "fec0::1/128");
+	string_equals("fec0::2/127", "fec0::2/127");
+	string_equals("fec0::100/120", "fec0::100/120");
+	string_equals("::/0", "::/0");
+	string_equals_id("(invalid ID_IPV6_ADDR_SUBNET)",
+			identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty));
+	string_equals("fec0::1-fec0::4fff", "fec0::1-fec0::4fff");
+	string_equals_id("(invalid ID_IPV6_ADDR_RANGE)",
+			identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty));
 	string_equals_id("(unknown ID type: 255)",
-				identification_create_from_encoding(255, chunk_empty));
+			identification_create_from_encoding(255, chunk_empty));
 
 	string_equals("moon@strongswan.org", "moon@strongswan.org");
 	string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG");
@@ -324,11 +399,11 @@ START_TEST(test_printf_hook)
 	string_equals("C=CH, E=moon@strongswan.org, CN=moon",
 				  "C=CH, emailAddress=moon@strongswan.org, CN=moon");
 
-	/* C=CH, pseudonym=ANO (pseudonym is currently not recognized) */
-	string_equals_id("C=CH, 55:04:41=ANO", identification_create_from_encoding(ID_DER_ASN1_DN,
+	/* C=CH, telexNumber=123 (telexNumber is currently not recognized) */
+	string_equals_id("C=CH, 55:04:15=123", identification_create_from_encoding(ID_DER_ASN1_DN,
 		chunk_from_chars(0x30, 0x19, 0x31, 0x17, 0x30, 0x09, 0x06, 0x03, 0x55,
 						 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x30, 0x0a, 0x06,
-						 0x03, 0x55, 0x04, 0x41, 0x13, 0x03, 0x41, 0x4e, 0x4f)));
+						 0x03, 0x55, 0x04, 0x15, 0x13, 0x03, 0x31, 0x32, 0x33)));
 	/* C=CH, O=strongSwan (but instead of a 2nd OID -0x06- we got NULL -0x05) */
 	string_equals_id("C=CH, (invalid ID_DER_ASN1_DN)", identification_create_from_encoding(ID_DER_ASN1_DN,
 		chunk_from_chars(0x30, 0x20, 0x31, 0x1e, 0x30, 0x09, 0x06, 0x03, 0x55,
@@ -595,6 +670,89 @@ START_TEST(test_matches_binary)
 }
 END_TEST
 
+START_TEST(test_matches_range)
+{
+	identification_t *a, *b;
+
+	/* IPv4 addresses */
+	a = identification_create_from_string("192.168.1.1");
+	ck_assert(a->get_type(a) == ID_IPV4_ADDR);
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_MAX_WILDCARDS));
+	ck_assert(id_matches(a, "192.168.1.1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.2", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.1/32", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.0/32", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.0/24", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "192.168.0.0/24", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.1-192.168.1.1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.0-192.168.1.64", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "192.168.1.2-192.168.1.64", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.0.240-192.168.1.0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
+
+	/* Malformed IPv4 subnet and range encoding */
+	b = identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE,
+			chunk_from_chars(0xc0,0xa8,0x01,0x28,0xc0,0xa8,0x01,0x00));
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+
+	a->destroy(a);
+
+	/* IPv6 addresses */
+	a = identification_create_from_string("fec0::1");
+	ck_assert(a->get_type(a) == ID_IPV6_ADDR);
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "::/0", ID_MATCH_MAX_WILDCARDS));
+	ck_assert(id_matches(a, "fec0::1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::2", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::1/128", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::/128", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::/120", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "fec0::100/120", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::1-fec0::1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::0-fec0::5", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "fec0::4001-fec0::4ffe", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "feb0::1-fec0::0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
+
+	/* Malformed IPv6 subnet and range encoding */
+	b = identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE,
+			chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+							 0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff,
+							 0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+							 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01 ));
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+
+	a->destroy(a);
+
+	/* Malformed IPv4 address encoding */
+	a = identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty);
+	ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "0.0.0.0-255.255.255.255", ID_MATCH_NONE));
+	a->destroy(a);
+
+	/* Malformed IPv6 address encoding */
+	a = identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty);
+	ck_assert(id_matches(a, "::/0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ID_MATCH_NONE));
+	a->destroy(a);
+}
+END_TEST
+
 START_TEST(test_matches_string)
 {
 	identification_t *a;
@@ -929,6 +1087,7 @@ Suite *identification_suite_create()
 	tcase_add_test(tc, test_matches);
 	tcase_add_test(tc, test_matches_any);
 	tcase_add_test(tc, test_matches_binary);
+	tcase_add_test(tc, test_matches_range);
 	tcase_add_test(tc, test_matches_string);
 	tcase_add_loop_test(tc, test_matches_empty, ID_ANY, ID_KEY_ID + 1);
 	tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1);
diff --git a/src/libstrongswan/tests/suites/test_linked_list.c b/src/libstrongswan/tests/suites/test_linked_list.c
index 922f954e3..7a161817c 100644
--- a/src/libstrongswan/tests/suites/test_linked_list.c
+++ b/src/libstrongswan/tests/suites/test_linked_list.c
@@ -348,6 +348,91 @@ START_TEST(test_clone_offset)
 }
 END_TEST
 
+
+/*******************************************************************************
+ * equals
+ */
+
+typedef struct equals_t equals_t;
+
+struct equals_t {
+	int val;
+	bool (*equals)(equals_t *a, equals_t *b);
+};
+
+static bool equalsfn(equals_t *a, equals_t *b)
+{
+	return a->val == b->val;
+}
+
+START_TEST(test_equals_offset)
+{
+	linked_list_t *other;
+	equals_t *x, items[] = {
+		{ .val = 1, .equals = equalsfn, },
+		{ .val = 2, .equals = equalsfn, },
+		{ .val = 3, .equals = equalsfn, },
+		{ .val = 4, .equals = equalsfn, },
+		{ .val = 5, .equals = equalsfn, },
+	};
+	int i;
+
+	for (i = 0; i < countof(items); i++)
+	{
+		list->insert_last(list, &items[i]);
+	}
+	ck_assert(list->equals_offset(list, list, offsetof(equals_t, equals)));
+	other = linked_list_create_from_enumerator(list->create_enumerator(list));
+	ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals)));
+	other->remove_last(other, (void**)&x);
+	ck_assert(!list->equals_offset(list, other, offsetof(equals_t, equals)));
+	list->remove_last(list, (void**)&x);
+	ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals)));
+	other->remove_first(other, (void**)&x);
+	ck_assert(!list->equals_offset(list, other, offsetof(equals_t, equals)));
+	list->remove_first(list, (void**)&x);
+	ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals)));
+	while (list->remove_first(list, (void**)&x) == SUCCESS);
+	while (other->remove_first(other, (void**)&x) == SUCCESS);
+	ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals)));
+	other->destroy(other);
+}
+END_TEST
+
+START_TEST(test_equals_function)
+{
+	linked_list_t *other;
+	equals_t *x, items[] = {
+		{ .val = 1, },
+		{ .val = 2, },
+		{ .val = 3, },
+		{ .val = 4, },
+		{ .val = 5, },
+	};
+	int i;
+
+	for (i = 0; i < countof(items); i++)
+	{
+		list->insert_last(list, &items[i]);
+	}
+	ck_assert(list->equals_function(list, list, (void*)equalsfn));
+	other = linked_list_create_from_enumerator(list->create_enumerator(list));
+	ck_assert(list->equals_function(list, other, (void*)equalsfn));
+	other->remove_last(other, (void**)&x);
+	ck_assert(!list->equals_function(list, other, (void*)equalsfn));
+	list->remove_last(list, (void**)&x);
+	ck_assert(list->equals_function(list, other, (void*)equalsfn));
+	other->remove_first(other, (void**)&x);
+	ck_assert(!list->equals_function(list, other, (void*)equalsfn));
+	list->remove_first(list, (void**)&x);
+	ck_assert(list->equals_function(list, other, (void*)equalsfn));
+	while (list->remove_first(list, (void**)&x) == SUCCESS);
+	while (other->remove_first(other, (void**)&x) == SUCCESS);
+	ck_assert(list->equals_function(list, other, (void*)equalsfn));
+	other->destroy(other);
+}
+END_TEST
+
 Suite *linked_list_suite_create()
 {
 	Suite *s;
@@ -386,5 +471,11 @@ Suite *linked_list_suite_create()
 	tcase_add_test(tc, test_clone_offset);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("equals");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_equals_offset);
+	tcase_add_test(tc, test_equals_function);
+	suite_add_tcase(s, tc);
+
 	return s;
 }
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index e1074b931..824c88022 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -37,6 +37,7 @@ TEST_SUITE_DEPEND(certpolicy_suite_create, CERT_ENCODE, CERT_X509)
 TEST_SUITE_DEPEND(certnames_suite_create, CERT_ENCODE, CERT_X509)
 TEST_SUITE(host_suite_create)
 TEST_SUITE(printf_suite_create)
+TEST_SUITE(auth_cfg_suite_create)
 TEST_SUITE(hasher_suite_create)
 TEST_SUITE(crypter_suite_create)
 TEST_SUITE(crypto_factory_suite_create)
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index 7a243e826..3d87e7fca 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -48,7 +48,7 @@ struct private_thread_t {
 	thread_t public;
 
 	/**
-	 * Human-readable ID of this thread.
+	 * Identificator of this thread (human-readable/thread ID).
 	 */
 	u_int id;
 
@@ -157,6 +157,23 @@ static void thread_destroy(private_thread_t *this)
 	free(this);
 }
 
+/**
+ * Determine the ID of the current thread
+ */
+static u_int get_thread_id()
+{
+	u_int id;
+
+#if defined(USE_THREAD_IDS) && defined(HAVE_GETTID)
+	id = gettid();
+#else
+	id_mutex->lock(id_mutex);
+	id = next_id++;
+	id_mutex->unlock(id_mutex);
+#endif
+	return id;
+}
+
 METHOD(thread_t, cancel, void,
 	private_thread_t *this)
 {
@@ -284,6 +301,8 @@ static void *thread_main(private_thread_t *this)
 {
 	void *res;
 
+	this->id = get_thread_id();
+
 	current_thread->set(current_thread, this);
 	pthread_cleanup_push((thread_cleanup_t)thread_cleanup, this);
 
@@ -315,9 +334,6 @@ thread_t *thread_create(thread_main_t main, void *arg)
 
 	this->main = main;
 	this->arg = arg;
-	id_mutex->lock(id_mutex);
-	this->id = next_id++;
-	id_mutex->unlock(id_mutex);
 
 	if (pthread_create(&this->thread_id, NULL, (void*)thread_main, this) != 0)
 	{
@@ -341,11 +357,7 @@ thread_t *thread_current()
 	if (!this)
 	{
 		this = thread_create_internal();
-
-		id_mutex->lock(id_mutex);
-		this->id = next_id++;
-		id_mutex->unlock(id_mutex);
-
+		this->id = get_thread_id();
 		current_thread->set(current_thread, (void*)this);
 	}
 	return &this->public;
@@ -475,12 +487,12 @@ void threads_init()
 
 	dummy1 = thread_value_create(NULL);
 
-	next_id = 1;
-	main_thread->id = 0;
+	next_id = 0;
 	main_thread->thread_id = pthread_self();
 	current_thread = thread_value_create(NULL);
 	current_thread->set(current_thread, (void*)main_thread);
 	id_mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	main_thread->id = get_thread_id();
 
 #ifndef HAVE_PTHREAD_CANCEL
 	{	/* install a signal handler for our custom SIG_CANCEL */
diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h
index c24772839..35da24459 100644
--- a/src/libstrongswan/threading/thread.h
+++ b/src/libstrongswan/threading/thread.h
@@ -97,11 +97,13 @@ thread_t *thread_create(thread_main_t main, void *arg);
 thread_t *thread_current();
 
 /**
- * Get the human-readable ID of the current thread.
+ * Get the ID of the current thread.
  *
- * The IDs are assigned incrementally starting from 1.
+ * Depending on the build configuration thread IDs are either assigned
+ * incrementally starting from 1, or equal the value returned by an appropriate
+ * syscall (like gettid() or GetCurrentThreadId()), if available.
  *
- * @return				human-readable ID
+ * @return				ID of the current thread
  */
 u_int thread_current_id();
 
diff --git a/src/libstrongswan/threading/windows/thread.c b/src/libstrongswan/threading/windows/thread.c
index 610524722..798d75be7 100644
--- a/src/libstrongswan/threading/windows/thread.c
+++ b/src/libstrongswan/threading/windows/thread.c
@@ -516,7 +516,11 @@ thread_t *thread_current()
  */
 u_int thread_current_id()
 {
+#ifdef USE_THREAD_IDS
+	return get_current_thread()->id;
+#else
 	return get_current_thread()->tid;
+#endif
 }
 
 /**
diff --git a/src/libstrongswan/utils/compat/windows.c b/src/libstrongswan/utils/compat/windows.c
index 1f22ffa02..12ee59916 100644
--- a/src/libstrongswan/utils/compat/windows.c
+++ b/src/libstrongswan/utils/compat/windows.c
@@ -82,7 +82,6 @@ static void* dlsym_default(const char *name)
 {
 	const char *dlls[] = {
 		"libstrongswan-0.dll",
-		"libhydra-0.dll",
 		"libcharon-0.dll",
 		"libtnccs-0.dll",
 		NULL /* .exe */
diff --git a/src/libstrongswan/utils/debug.c b/src/libstrongswan/utils/debug.c
index e8c9e6b98..8a80b81a2 100644
--- a/src/libstrongswan/utils/debug.c
+++ b/src/libstrongswan/utils/debug.c
@@ -17,7 +17,7 @@
 
 #include "debug.h"
 
-ENUM(debug_names, DBG_DMN, DBG_LIB,
+ENUM(debug_names, DBG_DMN, DBG_ANY,
 	"DMN",
 	"MGR",
 	"IKE",
@@ -36,9 +36,10 @@ ENUM(debug_names, DBG_DMN, DBG_LIB,
 	"APP",
 	"ESP",
 	"LIB",
+	"ANY",
 );
 
-ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
+ENUM(debug_lower_names, DBG_DMN, DBG_ANY,
 	"dmn",
 	"mgr",
 	"ike",
@@ -57,6 +58,7 @@ ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
 	"app",
 	"esp",
 	"lib",
+	"any",
 );
 
 /**
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index da23d143c..2b2e907f0 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -1,8 +1,9 @@
 /*
+ * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2009-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -79,6 +80,7 @@ static const x501rdn_t x501rdns[] = {
 	{"G", 					OID_GIVEN_NAME,				ASN1_PRINTABLESTRING},
 	{"I", 					OID_INITIALS,				ASN1_PRINTABLESTRING},
 	{"dnQualifier", 		OID_DN_QUALIFIER,			ASN1_PRINTABLESTRING},
+	{"pseudonym", 			OID_PSEUDONYM,				ASN1_PRINTABLESTRING},
 	{"ID", 					OID_UNIQUE_IDENTIFIER,		ASN1_PRINTABLESTRING},
 	{"EN", 					OID_EMPLOYEE_NUMBER,		ASN1_PRINTABLESTRING},
 	{"employeeNumber",		OID_EMPLOYEE_NUMBER,		ASN1_PRINTABLESTRING},
@@ -218,6 +220,7 @@ METHOD(enumerator_t, rdn_part_enumerate, bool,
 		{OID_GIVEN_NAME,		ID_PART_RDN_G},
 		{OID_INITIALS,			ID_PART_RDN_I},
 		{OID_DN_QUALIFIER,		ID_PART_RDN_DNQ},
+		{OID_PSEUDONYM,			ID_PART_RDN_PN},
 		{OID_UNIQUE_IDENTIFIER,	ID_PART_RDN_ID},
 		{OID_EMAIL_ADDRESS,		ID_PART_RDN_E},
 		{OID_EMPLOYEE_NUMBER,	ID_PART_RDN_EN},
@@ -822,6 +825,154 @@ METHOD(identification_t, matches_dn, id_match_t,
 }
 
 /**
+ * Transform netmask to CIDR bits
+ */
+static int netmask_to_cidr(char *netmask, size_t address_size)
+{
+	uint8_t byte;
+	int i, netbits = 0;
+
+	for (i = 0; i < address_size; i++)
+	{
+		byte = netmask[i];
+
+		if (byte == 0x00)
+		{
+			break;
+		}
+		if (byte == 0xff)
+		{
+			netbits += 8;
+		}
+		else
+		{
+			while (byte & 0x80)
+			{
+				netbits++;
+				byte <<= 1;
+			}
+		}
+	}
+	return netbits;
+}
+
+METHOD(identification_t, matches_range, id_match_t,
+	private_identification_t *this, identification_t *other)
+{
+	chunk_t other_encoding;
+	uint8_t *address, *from, *to, *network, *netmask;
+	size_t address_size = 0;
+	int netbits, range_sign, i;
+
+	if (other->get_type(other) == ID_ANY)
+	{
+		return ID_MATCH_ANY;
+	}
+	if (this->type == other->get_type(other) &&
+		chunk_equals(this->encoded, other->get_encoding(other)))
+	{
+		return ID_MATCH_PERFECT;
+	}
+	if ((this->type == ID_IPV4_ADDR &&
+		 other->get_type(other) == ID_IPV4_ADDR_SUBNET))
+	{
+		address_size = sizeof(struct in_addr);
+	}
+	else if ((this->type == ID_IPV6_ADDR &&
+		 other->get_type(other) == ID_IPV6_ADDR_SUBNET))
+	{
+		address_size = sizeof(struct in6_addr);
+	}
+	if (address_size)
+	{
+		other_encoding = other->get_encoding(other);
+		if (this->encoded.len != address_size ||
+			other_encoding.len != 2 * address_size)
+		{
+			return ID_MATCH_NONE;
+		}
+		address = this->encoded.ptr;
+		network = other_encoding.ptr;
+		netmask = other_encoding.ptr + address_size;
+		netbits = netmask_to_cidr(netmask, address_size);
+
+		if (netbits == 0)
+		{
+			return ID_MATCH_MAX_WILDCARDS;
+		}
+		if (netbits == 8 * address_size)
+		{
+			return memeq(address, network, address_size) ?
+				   ID_MATCH_PERFECT : ID_MATCH_NONE;
+		}
+		for (i = 0; i < (netbits + 7)/8; i++)
+		{
+			if ((address[i] ^ network[i]) & netmask[i])
+			{
+				return ID_MATCH_NONE;
+			}
+		}
+		return ID_MATCH_ONE_WILDCARD;
+	}
+	if ((this->type == ID_IPV4_ADDR &&
+		 other->get_type(other) == ID_IPV4_ADDR_RANGE))
+	{
+		address_size = sizeof(struct in_addr);
+	}
+	else if ((this->type == ID_IPV6_ADDR &&
+		 other->get_type(other) == ID_IPV6_ADDR_RANGE))
+	{
+		address_size = sizeof(struct in6_addr);
+	}
+	if (address_size)
+	{
+		other_encoding = other->get_encoding(other);
+		if (this->encoded.len != address_size ||
+			other_encoding.len != 2 * address_size)
+		{
+			return ID_MATCH_NONE;
+		}
+		address = this->encoded.ptr;
+		from = other_encoding.ptr;
+		to = other_encoding.ptr + address_size;
+
+		range_sign = memcmp(to, from, address_size);
+		if (range_sign < 0)
+		{	/* to is smaller than from */
+			return ID_MATCH_NONE;
+		}
+
+		/* check lower bound */
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != from[i])
+			{
+				if (address[i] < from[i])
+				{
+					return ID_MATCH_NONE;
+				}
+				break;
+			}
+		}
+
+		/* check upper bound */
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != to[i])
+			{
+				if (address[i] > to[i])
+				{
+					return ID_MATCH_NONE;
+				}
+				break;
+			}
+		}
+		return range_sign ? ID_MATCH_ONE_WILDCARD : ID_MATCH_PERFECT;
+	}
+	return ID_MATCH_NONE;
+}
+
+/**
  * Described in header.
  */
 int identification_printf_hook(printf_hook_data_t *data,
@@ -829,7 +980,9 @@ int identification_printf_hook(printf_hook_data_t *data,
 {
 	private_identification_t *this = *((private_identification_t**)(args[0]));
 	chunk_t proper;
-	char buf[512];
+	char buf[BUF_LEN], *pos;
+	size_t len, address_size;
+	int written;
 
 	if (this == NULL)
 	{
@@ -839,49 +992,115 @@ int identification_printf_hook(printf_hook_data_t *data,
 	switch (this->type)
 	{
 		case ID_ANY:
-			snprintf(buf, sizeof(buf), "%%any");
+			snprintf(buf, BUF_LEN, "%%any");
 			break;
 		case ID_IPV4_ADDR:
 			if (this->encoded.len < sizeof(struct in_addr) ||
-				inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
 			{
-				snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)");
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR)");
+			}
+			break;
+		case ID_IPV4_ADDR_SUBNET:
+			address_size = sizeof(struct in_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_SUBNET)");
+				break;
+			}
+			written = strlen(buf);
+			snprintf(buf + written, BUF_LEN - written, "/%d",
+					 netmask_to_cidr(this->encoded.ptr + address_size,
+														 address_size));
+			break;
+		case ID_IPV4_ADDR_RANGE:
+			address_size = sizeof(struct in_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
+				break;
+			}
+			written = strlen(buf);
+			pos = buf + written;
+			len = BUF_LEN - written;
+			written = snprintf(pos, len, "-");
+			if (written < 0 || written >= len ||
+			    inet_ntop(AF_INET, this->encoded.ptr + address_size,
+						  pos + written, len - written) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
 			}
 			break;
 		case ID_IPV6_ADDR:
 			if (this->encoded.len < sizeof(struct in6_addr) ||
-				inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR)");
+			}
+			break;
+		case ID_IPV6_ADDR_SUBNET:
+			address_size = sizeof(struct in6_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_SUBNET)");
+			}
+			else
 			{
-				snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)");
+				written = strlen(buf);
+				snprintf(buf + written, BUF_LEN - written, "/%d",
+						 netmask_to_cidr(this->encoded.ptr + address_size,
+															 address_size));
+			}
+			break;
+		case ID_IPV6_ADDR_RANGE:
+			address_size = sizeof(struct in6_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
+				break;
+			}
+			written = strlen(buf);
+			pos = buf + written;
+			len = BUF_LEN - written;
+			written = snprintf(pos, len, "-");
+			if (written < 0 || written >= len ||
+			    inet_ntop(AF_INET6, this->encoded.ptr + address_size,
+						  pos + written, len - written) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
 			}
 			break;
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
 			chunk_printable(this->encoded, &proper, '?');
-			snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
+			snprintf(buf, BUF_LEN, "%.*s", (int)proper.len, proper.ptr);
 			chunk_free(&proper);
 			break;
 		case ID_DER_ASN1_DN:
-			dntoa(this->encoded, buf, sizeof(buf));
+			dntoa(this->encoded, buf, BUF_LEN);
 			break;
 		case ID_DER_ASN1_GN:
-			snprintf(buf, sizeof(buf), "(ASN.1 general name)");
+			snprintf(buf, BUF_LEN, "(ASN.1 general name)");
 			break;
 		case ID_KEY_ID:
 			if (chunk_printable(this->encoded, NULL, '?') &&
 				this->encoded.len != HASH_SIZE_SHA1)
 			{	/* fully printable, use ascii version */
-				snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len,
+				snprintf(buf, BUF_LEN, "%.*s", (int)this->encoded.len,
 						 this->encoded.ptr);
 			}
 			else
 			{	/* not printable, hex dump */
-				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
+				snprintf(buf, BUF_LEN, "%#B", &this->encoded);
 			}
 			break;
 		default:
-			snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
+			snprintf(buf, BUF_LEN, "(unknown ID type: %d)", this->type);
 			break;
 	}
 	if (spec->minus)
@@ -950,6 +1169,13 @@ static private_identification_t *identification_create(id_type_t type)
 			this->public.matches = _matches_dn;
 			this->public.contains_wildcards = _contains_wildcards_dn;
 			break;
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+			this->public.hash = _hash_binary;
+			this->public.equals = _equals_binary;
+			this->public.matches = _matches_range;
+			this->public.contains_wildcards = return_false;
+			break;
 		default:
 			this->public.hash = _hash_binary;
 			this->public.equals = _equals_binary;
@@ -971,6 +1197,10 @@ static private_identification_t* create_from_string_with_prefix_type(char *str)
 	} prefixes[] = {
 		{ "ipv4:",			ID_IPV4_ADDR			},
 		{ "ipv6:",			ID_IPV6_ADDR			},
+		{ "ipv4net:",		ID_IPV4_ADDR_SUBNET		},
+		{ "ipv6net:",		ID_IPV6_ADDR_SUBNET		},
+		{ "ipv4range:",		ID_IPV4_ADDR_RANGE		},
+		{ "ipv6range:",		ID_IPV6_ADDR_RANGE		},
 		{ "rfc822:",		ID_RFC822_ADDR			},
 		{ "email:",			ID_RFC822_ADDR			},
 		{ "userfqdn:",		ID_USER_FQDN			},
@@ -1036,6 +1266,115 @@ static private_identification_t* create_from_string_with_num_type(char *str)
 	return this;
 }
 
+/**
+ * Convert to an IPv4/IPv6 host address, subnet or address range
+ */
+static private_identification_t* create_ip_address_from_string(char *string,
+															   bool is_ipv4)
+{
+	private_identification_t *this;
+	uint8_t encoding[32];
+	uint8_t *str, *pos, *address, *to_address, *netmask;
+	size_t address_size;
+	int bits, bytes, i;
+	bool has_subnet = FALSE, has_range = FALSE;
+
+	address = encoding;
+	address_size = is_ipv4 ? sizeof(struct in_addr) : sizeof(struct in6_addr);
+
+	str = strdup(string);
+	pos = strchr(str, '/');
+	if (pos)
+	{	/* separate IP address from optional netmask */
+
+		*pos = '\0';
+		has_subnet = TRUE;
+	}
+	else
+	{
+		pos = strchr(str, '-');
+		if (pos)
+		{	/* separate lower address from upper address of IP range */
+			*pos = '\0';
+			has_range = TRUE;
+		}
+	}
+
+	if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, str, address) != 1)
+	{
+		free(str);
+		return NULL;
+	}
+
+	if (has_subnet)
+	{	/* is IP subnet */
+		bits = atoi(pos + 1);
+		if (bits > 8 * address_size)
+		{
+			free(str);
+			return NULL;
+		}
+		bytes = bits / 8;
+		bits -= 8 * bytes;
+		netmask = encoding + address_size;
+
+		for (i = 0; i < address_size; i++)
+		{
+			if (bytes)
+			{
+				*netmask = 0xff;
+				bytes--;
+			}
+			else if (bits)
+			{
+				*netmask = 0xff << (8 - bits);
+				bits = 0;
+			}
+			else
+			{
+				*netmask = 0x00;
+			}
+			*address++ &= *netmask++;
+		}
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR_SUBNET :
+											   ID_IPV6_ADDR_SUBNET);
+		this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
+	}
+	else if (has_range)
+	{	/* is IP range */
+		to_address = encoding + address_size;
+
+		if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, pos + 1, to_address) != 1)
+		{
+			free(str);
+			return NULL;
+		}
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != to_address[i])
+			{
+				if (address[i] > to_address[i])
+				{
+					free(str);
+					return NULL;
+				}
+				break;
+			}
+		}
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR_RANGE :
+											   ID_IPV6_ADDR_RANGE);
+		this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
+	}
+	else
+	{	/* is IP host address */
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR : ID_IPV6_ADDR);
+		this->encoded = chunk_clone(chunk_create(encoding, address_size));
+	}
+	free(str);
+
+	return this;
+}
+
 /*
  * Described in header.
  */
@@ -1093,15 +1432,9 @@ identification_t *identification_create_from_string(char *string)
 		{
 			if (strchr(string, ':') == NULL)
 			{
-				struct in_addr address;
-				chunk_t chunk = {(void*)&address, sizeof(address)};
-
-				if (inet_pton(AF_INET, string, &address) > 0)
-				{	/* is IPv4 */
-					this = identification_create(ID_IPV4_ADDR);
-					this->encoded = chunk_clone(chunk);
-				}
-				else
+				/* IPv4 address or subnet */
+				this = create_ip_address_from_string(string, TRUE);
+				if (!this)
 				{	/* not IPv4, mostly FQDN */
 					this = identification_create(ID_FQDN);
 					this->encoded = chunk_from_str(strdup(string));
@@ -1110,15 +1443,9 @@ identification_t *identification_create_from_string(char *string)
 			}
 			else
 			{
-				struct in6_addr address;
-				chunk_t chunk = {(void*)&address, sizeof(address)};
-
-				if (inet_pton(AF_INET6, string, &address) > 0)
-				{	/* is IPv6 */
-					this = identification_create(ID_IPV6_ADDR);
-					this->encoded = chunk_clone(chunk);
-				}
-				else
+				/* IPv6 address or subnet */
+				this = create_ip_address_from_string(string, FALSE);
+				if (!this)
 				{	/* not IPv4/6 fallback to KEY_ID */
 					this = identification_create(ID_KEY_ID);
 					this->encoded = chunk_from_str(strdup(string));
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 5f27ba112..51d132491 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -168,6 +168,8 @@ enum id_part_t {
 	ID_PART_RDN_I,
 	/** DN Qualifier RDN of a DN */
 	ID_PART_RDN_DNQ,
+	/** Pseudonym RDN of a DN */
+	ID_PART_RDN_PN,
 	/** UniqueIdentifier RDN of a DN */
 	ID_PART_RDN_ID,
 	/** Locality RDN of a DN */
diff --git a/src/libstrongswan/utils/utils/byteorder.h b/src/libstrongswan/utils/utils/byteorder.h
index 48cf1d526..3ccbad5f1 100644
--- a/src/libstrongswan/utils/utils/byteorder.h
+++ b/src/libstrongswan/utils/utils/byteorder.h
@@ -44,6 +44,36 @@
 #define BITFIELD5(t, a, b, c, d, e,...)	struct { t e; t d; t c; t b; t a; __VA_ARGS__}
 #endif
 
+#ifndef le32toh
+# if BYTE_ORDER == BIG_ENDIAN
+#  define le32toh(x) __builtin_bswap32(x)
+#  define htole32(x) __builtin_bswap32(x)
+# else
+#  define le32toh(x) (x)
+#  define htole32(x) (x)
+# endif
+#endif
+
+#ifndef le64toh
+# if BYTE_ORDER == BIG_ENDIAN
+#  define le64toh(x) __builtin_bswap64(x)
+#  define htole64(x) __builtin_bswap64(x)
+# else
+#  define le64toh(x) (x)
+#  define htole64(x) (x)
+# endif
+#endif
+
+#ifndef be64toh
+# if BYTE_ORDER == BIG_ENDIAN
+#  define be64toh(x) (x)
+#  define htobe64(x) (x)
+# else
+#  define be64toh(x) __builtin_bswap64(x)
+#  define htobe64(x) __builtin_bswap64(x)
+# endif
+#endif
+
 /**
  * Write a 16-bit host order value in network order to an unaligned address.
  *
@@ -82,21 +112,8 @@ static inline void htoun64(void *network, u_int64_t host)
 {
 	char *unaligned = (char*)network;
 
-#ifdef be64toh
 	host = htobe64(host);
 	memcpy((char*)unaligned, &host, sizeof(host));
-#else
-	u_int32_t high_part, low_part;
-
-	high_part = host >> 32;
-	high_part = htonl(high_part);
-	low_part  = host & 0xFFFFFFFFLL;
-	low_part  = htonl(low_part);
-
-	memcpy(unaligned, &high_part, sizeof(high_part));
-	unaligned += sizeof(high_part);
-	memcpy(unaligned, &low_part, sizeof(low_part));
-#endif
 }
 
 /**
@@ -138,24 +155,37 @@ static inline u_int32_t untoh32(void *network)
 static inline u_int64_t untoh64(void *network)
 {
 	char *unaligned = (char*)network;
-
-#ifdef be64toh
 	u_int64_t tmp;
 
 	memcpy(&tmp, unaligned, sizeof(tmp));
 	return be64toh(tmp);
-#else
-	u_int32_t high_part, low_part;
+}
 
-	memcpy(&high_part, unaligned, sizeof(high_part));
-	unaligned += sizeof(high_part);
-	memcpy(&low_part, unaligned, sizeof(low_part));
+/**
+ * Read a 32-bit value in little-endian order from unaligned address.
+ *
+ * @param p			unaligned address to read little endian value from
+ * @return			host order value
+ */
+static inline u_int32_t uletoh32(void *p)
+{
+	u_int32_t ret;
 
-	high_part = ntohl(high_part);
-	low_part  = ntohl(low_part);
+	memcpy(&ret, p, sizeof(ret));
+	ret = le32toh(ret);
+	return ret;
+}
 
-	return (((u_int64_t)high_part) << 32) + low_part;
-#endif
+/**
+ * Write a 32-bit value in little-endian to an unaligned address.
+ *
+ * @param p			host order 32-bit value
+ * @param v			unaligned address to write little endian value to
+ */
+static inline void htoule32(void *p, u_int32_t v)
+{
+	v = htole32(v);
+	memcpy(p, &v, sizeof(v));
 }
 
 #endif /** BYTEORDER_H_ @} */
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index e6c23d970..8d16059f3 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -465,6 +465,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in
index 7d5b3771c..e57a95f4f 100644
--- a/src/libtls/tests/Makefile.in
+++ b/src/libtls/tests/Makefile.in
@@ -410,6 +410,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 000dda43b..8087e2e2d 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -320,7 +320,8 @@ static public_key_t *find_public_key(private_tls_peer_t *this)
 	if (cert)
 	{
 		enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-						KEY_ANY, cert->get_subject(cert), this->server_auth);
+											KEY_ANY, cert->get_subject(cert),
+											this->server_auth, TRUE);
 		while (enumerator->enumerate(enumerator, &current, &auth))
 		{
 			found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index f9295a160..cfbe02037 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -548,7 +548,7 @@ static status_t process_cert_verify(private_tls_server_t *this,
 	bio_reader_t *sig;
 
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-										KEY_ANY, this->peer, this->peer_auth);
+									KEY_ANY, this->peer, this->peer_auth, TRUE);
 	while (enumerator->enumerate(enumerator, &public, &auth))
 	{
 		sig = bio_reader_create(reader->peek(reader));
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index dc8c1b8cc..85d2581a2 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -470,6 +470,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index 3641bdf5b..963e1f0eb 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index c4b1bee23..f77db91c4 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 5b01e317a..577f53776 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index e0c039af9..ec5de0f11 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -428,6 +428,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 17d997f76..5037a9517 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -431,6 +431,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
index a1a95733f..35d297842 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
@@ -126,6 +126,24 @@ struct private_tnccs_20_t {
 
 };
 
+METHOD(tls_t, is_complete, bool,
+	private_tnccs_20_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	tnccs_20_server_t *tnc_server;
+
+	if (this->tnc_server)
+	{
+		tnc_server = (tnccs_20_server_t*)this->tnc_server;
+		if (tnc_server->have_recommendation(tnc_server, &rec, &eval))
+		{
+			return this->callback ? this->callback(rec, eval) : TRUE;
+		}
+	}
+	return FALSE;
+}
+
 METHOD(tnccs_t, send_msg, TNC_Result,
 	private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
 							  TNC_UInt32 msg_flags,
@@ -269,6 +287,7 @@ METHOD(tls_t, process, status_t,
 		/* Suppress a successful CLOSE batch coming from the TNC server */
 		if (status == SUCCESS)
 		{
+			is_complete(this);
 			status = NEED_MORE;
 		}
 	}
@@ -359,25 +378,6 @@ METHOD(tls_t, get_purpose, tls_purpose_t,
 	return TLS_PURPOSE_EAP_TNC;
 }
 
-METHOD(tls_t, is_complete, bool,
-	private_tnccs_20_t *this)
-{
-	TNC_IMV_Action_Recommendation rec;
-	TNC_IMV_Evaluation_Result eval;
-
-	if (this->tnc_server)
-	{
-		tnccs_20_server_t *tnc_server;
-
-		tnc_server = (tnccs_20_server_t*)this->tnc_server;
-		if (tnc_server->have_recommendation(tnc_server, &rec, &eval))
-		{
-			return this->callback ? this->callback(rec, eval) : TRUE;
-		}
-	}
-	return FALSE;
-}
-
 METHOD(tls_t, get_eap_msk, chunk_t,
 	private_tnccs_20_t *this)
 {
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index 3f21a22d4..949532a09 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 010fadc42..4be7ae1a8 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -380,6 +380,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 500220a3a..9beaab0a3 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -432,6 +432,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 42830e186..c367841df 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -421,6 +421,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index a3da0ab04..261e41c16 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -17,7 +17,10 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/signcrl.c \
 	commands/verify.c
 
-pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pki_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(PTHREADLIB) $(DLLIB)
+
 pki.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index b4829f777..4b206c9c9 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -111,7 +111,9 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \
 	commands/self.$(OBJEXT) commands/signcrl.$(OBJEXT) \
 	commands/verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
-pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
+am__DEPENDENCIES_1 =
+pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -431,6 +433,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -460,7 +464,10 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/signcrl.c \
 	commands/verify.c
 
-pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pki_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(PTHREADLIB) $(DLLIB)
+
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-DPLUGINS=\""${pki_plugins}\""
@@ -919,6 +926,7 @@ uninstall-am: uninstall-binPROGRAMS
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-binPROGRAMS
 
+
 pki.o :	$(top_builddir)/config.status
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/pki/command.c b/src/pki/command.c
index 13e81404c..ce704dbb8 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -172,6 +172,15 @@ void command_register(command_t command)
 				"options",	'+', 1, "read command line options from file"
 			};
 		}
+		for (i = 0; cmds[registered].line[i]; i++)
+		{
+			if (i == MAX_LINES - 1)
+			{
+				fprintf(stderr, "command '%s' specifies too many usage summary "
+						"lines, please increase MAX_LINES\n", command.cmd);
+				break;
+			}
+		}
 	}
 	registered++;
 }
@@ -208,7 +217,7 @@ int command_usage(char *error)
 	}
 	else
 	{
-		for (i = 0; cmds[active].line[i]; i++)
+		for (i = 0; i < MAX_LINES && cmds[active].line[i]; i++)
 		{
 			if (i == 0)
 			{
diff --git a/src/pki/command.h b/src/pki/command.h
index e55c579e4..449252eb8 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -34,7 +34,7 @@
 /**
  * Maximum number of usage summary lines (+1)
  */
-#define MAX_LINES 10
+#define MAX_LINES 11
 
 typedef struct command_t command_t;
 typedef struct command_option_t command_option_t;
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index fa69de133..c367a21a9 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -15,540 +18,37 @@
 
 #include "pki.h"
 
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
 #include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
-#include <selectors/traffic_selector.h>
+#include <credentials/certificates/certificate_printer.h>
 
-#include <time.h>
 #include <errno.h>
 
 /**
- * Print public key information
- */
-static void print_pubkey(public_key_t *key)
-{
-	chunk_t chunk;
-	key_type_t type;
-
-	type = key->get_type(key);
-	printf("pubkey:    %N %d bits%s\n", key_type_names, type,
-			key->get_keysize(key), (type == KEY_BLISS) ? " strength" : "");
-
-	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
-	{
-		printf("keyid:     %#B\n", &chunk);
-	}
-	if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
-	{
-		printf("subjkey:   %#B\n", &chunk);
-	}
-}
-
-/**
  * Print private key information
  */
 static void print_key(private_key_t *key)
 {
 	public_key_t *public;
+	chunk_t chunk;
 
 	public = key->get_public_key(key);
 	if (public)
 	{
-		printf("private key with:\n");
-		print_pubkey(public);
-		public->destroy(public);
-	}
-	else
-	{
-		printf("extracting public from private key failed\n");
-	}
-}
-
-/**
- * Get a prefix for a named constraint identity type
- */
-static char* get_type_pfx(identification_t *id)
-{
-	switch (id->get_type(id))
-	{
-		case ID_RFC822_ADDR:
-			return "email:";
-		case ID_FQDN:
-			return "dns:";
-		default:
-			return "";
-	}
-}
-
-/**
- * Print X509 specific certificate information
- */
-static void print_x509(x509_t *x509)
-{
-	enumerator_t *enumerator;
-	identification_t *id;
-	traffic_selector_t *block;
-	chunk_t chunk;
-	bool first;
-	char *uri;
-	int len, explicit, inhibit;
-	x509_flag_t flags;
-	x509_cdp_t *cdp;
-	x509_cert_policy_t *policy;
-	x509_policy_mapping_t *mapping;
-
-	chunk = chunk_skip_zero(x509->get_serial(x509));
-	printf("serial:    %#B\n", &chunk);
-
-	first = TRUE;
-	enumerator = x509->create_subjectAltName_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("altNames:  ");
-			first = FALSE;
-		}
-		else
-		{
-			printf(", ");
-		}
-		printf("%Y", id);
-	}
-	if (!first)
-	{
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	flags = x509->get_flags(x509);
-	printf("flags:     ");
-	if (flags & X509_CA)
-	{
-		printf("CA ");
-	}
-	if (flags & X509_CRL_SIGN)
-	{
-		printf("CRLSign ");
-	}
-	if (flags & X509_AA)
-	{
-		printf("AA ");
-	}
-	if (flags & X509_OCSP_SIGNER)
-	{
-		printf("OCSP ");
-	}
-	if (flags & X509_AA)
-	{
-		printf("AA ");
-	}
-	if (flags & X509_SERVER_AUTH)
-	{
-		printf("serverAuth ");
-	}
-	if (flags & X509_CLIENT_AUTH)
-	{
-		printf("clientAuth ");
-	}
-	if (flags & X509_IKE_INTERMEDIATE)
-	{
-		printf("iKEIntermediate ");
-	}
-	if (flags & X509_MS_SMARTCARD_LOGON)
-	{
-		printf("msSmartcardLogon ");
-	}
-	if (flags & X509_SELF_SIGNED)
-	{
-		printf("self-signed ");
-	}
-	printf("\n");
-
-	first = TRUE;
-	enumerator = x509->create_crl_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &cdp))
-	{
-		if (first)
-		{
-			printf("CRL URIs:  %s", cdp->uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s", cdp->uri);
-		}
-		if (cdp->issuer)
-		{
-			printf(" (CRL issuer: %Y)", cdp->issuer);
-		}
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_ocsp_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &uri))
-	{
-		if (first)
-		{
-			printf("OCSP URIs: %s\n", uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s\n", uri);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	len = x509->get_constraint(x509, X509_PATH_LEN);
-	if (len != X509_NO_CONSTRAINT)
-	{
-		printf("pathlen:   %d\n", len);
-	}
-
-	first = TRUE;
-	enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("Permitted NameConstraints:\n");
-			first = FALSE;
-		}
-		printf("           %s%Y\n", get_type_pfx(id), id);
-	}
-	enumerator->destroy(enumerator);
-	first = TRUE;
-	enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("Excluded NameConstraints:\n");
-			first = FALSE;
-		}
-		printf("           %s%Y\n", get_type_pfx(id), id);
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_cert_policy_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &policy))
-	{
-		char *oid;
-
-		if (first)
-		{
-			printf("CertificatePolicies:\n");
-			first = FALSE;
-		}
-		oid = asn1_oid_to_string(policy->oid);
-		if (oid)
-		{
-			printf("           %s\n", oid);
-			free(oid);
-		}
-		else
-		{
-			printf("           %#B\n", &policy->oid);
-		}
-		if (policy->cps_uri)
-		{
-			printf("             CPS: %s\n", policy->cps_uri);
-		}
-		if (policy->unotice_text)
-		{
-			printf("             Notice: %s\n", policy->unotice_text);
-
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_policy_mapping_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &mapping))
-	{
-		char *issuer_oid, *subject_oid;
-
-		if (first)
-		{
-			printf("PolicyMappings:\n");
-			first = FALSE;
-		}
-		issuer_oid = asn1_oid_to_string(mapping->issuer);
-		subject_oid = asn1_oid_to_string(mapping->subject);
-		printf("           %s => %s\n", issuer_oid, subject_oid);
-		free(issuer_oid);
-		free(subject_oid);
-	}
-	enumerator->destroy(enumerator);
-
-	explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
-	inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
-	len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
-
-	if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
-		len != X509_NO_CONSTRAINT)
-	{
-		printf("PolicyConstraints:\n");
-		if (explicit != X509_NO_CONSTRAINT)
-		{
-			printf("           requireExplicitPolicy: %d\n", explicit);
-		}
-		if (inhibit != X509_NO_CONSTRAINT)
-		{
-			printf("           inhibitPolicyMapping: %d\n", inhibit);
-		}
-		if (len != X509_NO_CONSTRAINT)
-		{
-			printf("           inhibitAnyPolicy: %d\n", len);
-		}
-	}
-
-	chunk = x509->get_authKeyIdentifier(x509);
-	if (chunk.ptr)
-	{
-		printf("authkeyId: %#B\n", &chunk);
-	}
-
-	chunk = x509->get_subjectKeyIdentifier(x509);
-	if (chunk.ptr)
-	{
-		printf("subjkeyId: %#B\n", &chunk);
-	}
-	if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-	{
-		first = TRUE;
-		printf("addresses: ");
-		enumerator = x509->create_ipAddrBlock_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &block))
-		{
-			if (first)
-			{
-				first = FALSE;
-			}
-			else
-			{
-				printf(", ");
-			}
-			printf("%R", block);
-		}
-		enumerator->destroy(enumerator);
-		printf("\n");
-	}
-}
-
-/**
- * Print CRL specific information
- */
-static void print_crl(crl_t *crl)
-{
-	enumerator_t *enumerator;
-	time_t ts;
-	crl_reason_t reason;
-	chunk_t chunk;
-	int count = 0;
-	bool first;
-	char buf[64];
-	struct tm tm;
-	x509_cdp_t *cdp;
-
-	chunk = chunk_skip_zero(crl->get_serial(crl));
-	printf("serial:    %#B\n", &chunk);
-
-	if (crl->is_delta_crl(crl, &chunk))
-	{
-		chunk = chunk_skip_zero(chunk);
-		printf("delta CRL: for serial %#B\n", &chunk);
-	}
-	chunk = crl->get_authKeyIdentifier(crl);
-	printf("authKeyId: %#B\n", &chunk);
-
-	first = TRUE;
-	enumerator = crl->create_delta_crl_uri_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &cdp))
-	{
-		if (first)
-		{
-			printf("freshest:  %s", cdp->uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s", cdp->uri);
-		}
-		if (cdp->issuer)
-		{
-			printf(" (CRL issuer: %Y)", cdp->issuer);
-		}
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-	{
-		count++;
-	}
-	enumerator->destroy(enumerator);
-
-	printf("%d revoked certificate%s%s\n", count,
-		   count == 1 ? "" : "s", count ? ":" : "");
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-	{
-		chunk = chunk_skip_zero(chunk);
-		localtime_r(&ts, &tm);
-		strftime(buf, sizeof(buf), "%F %T", &tm);
-		printf("    %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
-		count++;
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Print AC specific information
- */
-static void print_ac(ac_t *ac)
-{
-	ac_group_type_t type;
-	identification_t *id;
-	enumerator_t *groups;
-	chunk_t chunk;
-	bool first = TRUE;
-
-	chunk = chunk_skip_zero(ac->get_serial(ac));
-	printf("serial:    %#B\n", &chunk);
-
-	id = ac->get_holderIssuer(ac);
-	if (id)
-	{
-		printf("hissuer:  \"%Y\"\n", id);
-	}
-	chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-	if (chunk.ptr)
-	{
-		printf("hserial:   %#B\n", &chunk);
-	}
-	groups = ac->create_group_enumerator(ac);
-	while (groups->enumerate(groups, &type, &chunk))
-	{
-		int oid;
-		char *str;
-
-		if (first)
+		printf("  privkey:   %N %d bits\n", key_type_names,
+			   public->get_type(public), public->get_keysize(public));
+		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
 		{
-			printf("groups:    ");
-			first = FALSE;
+			printf("  keyid:     %#B\n", &chunk);
 		}
-		else
+		if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
 		{
-			printf("           ");
+			printf("  subjkey:   %#B\n", &chunk);
 		}
-		switch (type)
-		{
-			case AC_GROUP_TYPE_STRING:
-				printf("%.*s", (int)chunk.len, chunk.ptr);
-				break;
-			case AC_GROUP_TYPE_OID:
-				oid = asn1_known_oid(chunk);
-				if (oid == OID_UNKNOWN)
-				{
-					str = asn1_oid_to_string(chunk);
-					if (str)
-					{
-						printf("%s", str);
-						free(str);
-					}
-					else
-					{
-						printf("OID:%#B", &chunk);
-					}
-				}
-				else
-				{
-					printf("%s", oid_names[oid].name);
-				}
-				break;
-			case AC_GROUP_TYPE_OCTETS:
-				printf("%#B", &chunk);
-				break;
-		}
-		printf("\n");
-	}
-	groups->destroy(groups);
-
-	chunk = ac->get_authKeyIdentifier(ac);
-	if (chunk.ptr)
-	{
-		printf("authkey:  %#B\n", &chunk);
-	}
-}
-
-/**
- * Print certificate information
- */
-static void print_cert(certificate_t *cert)
-{
-	time_t now, notAfter, notBefore;
-	public_key_t *key;
-
-	now = time(NULL);
-
-	printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
-	if (cert->get_type(cert) != CERT_X509_CRL)
-	{
-		printf("subject:  \"%Y\"\n", cert->get_subject(cert));
-	}
-	printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-	cert->get_validity(cert, &now, &notBefore, &notAfter);
-	printf("validity:  not before %T, ", &notBefore, FALSE);
-	if (now < notBefore)
-	{
-		printf("not valid yet (valid in %V)\n", &now, &notBefore);
-	}
-	else
-	{
-		printf("ok\n");
-	}
-	printf("           not after  %T, ", &notAfter, FALSE);
-	if (now > notAfter)
-	{
-		printf("expired (%V ago)\n", &now, &notAfter);
+		public->destroy(public);
 	}
 	else
 	{
-		printf("ok (expires in %V)\n", &now, &notAfter);
-	}
-
-	switch (cert->get_type(cert))
-	{
-		case CERT_X509:
-			print_x509((x509_t*)cert);
-			break;
-		case CERT_X509_CRL:
-			print_crl((crl_t*)cert);
-			break;
-		case CERT_X509_AC:
-			print_ac((ac_t*)cert);
-			break;
-		default:
-			printf("parsing certificate subtype %N not implemented\n",
-				   certificate_type_names, cert->get_type(cert));
-			break;
-	}
-	key = cert->get_public_key(cert);
-	if (key)
-	{
-		print_pubkey(key);
-		key->destroy(key);
+		printf("extracting public from private key failed\n");
 	}
 }
 
@@ -586,8 +86,8 @@ static int print()
 				}
 				else if (streq(arg, "pub"))
 				{
-					type = CRED_PUBLIC_KEY;
-					subtype = KEY_ANY;
+					type = CRED_CERTIFICATE;
+					subtype = CERT_TRUSTED_PUBKEY;
 				}
 				else if (streq(arg, "rsa-priv"))
 				{
@@ -647,17 +147,13 @@ static int print()
 	if (type == CRED_CERTIFICATE)
 	{
 		certificate_t *cert = (certificate_t*)cred;
+		certificate_printer_t *printer;
 
-		print_cert(cert);
+		printer = certificate_printer_create(stdout, TRUE, FALSE);
+		printer->print(printer, cert, FALSE);
+		printer->destroy(printer);
 		cert->destroy(cert);
 	}
-	if (type == CRED_PUBLIC_KEY)
-	{
-		public_key_t *key = (public_key_t*)cred;
-
-		print_pubkey(key);
-		key->destroy(key);
-	}
 	if (type == CRED_PRIVATE_KEY)
 	{
 		private_key_t *key = (private_key_t*)cred;
@@ -665,6 +161,7 @@ static int print()
 		print_key(key);
 		key->destroy(key);
 	}
+
 	return 0;
 }
 
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index 62942d108..e61230929 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -370,6 +370,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/pool/Makefile.am b/src/pool/Makefile.am
index 5ae624b88..1513bbff4 100644
--- a/src/pool/Makefile.am
+++ b/src/pool/Makefile.am
@@ -10,13 +10,11 @@ pool.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${pool_plugins}\""
 
 pool_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la
 
 endif USE_ATTR_SQL
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index b9557547a..3d9adb14d 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -109,7 +109,6 @@ am__pool_SOURCES_DIST = pool.c pool_attributes.c pool_attributes.h \
 @USE_ATTR_SQL_TRUE@	pool_usage.$(OBJEXT)
 pool_OBJECTS = $(am_pool_OBJECTS)
 @USE_ATTR_SQL_TRUE@pool_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la \
 @USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libcharon/libcharon.la
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -416,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -435,13 +436,11 @@ xml_LIBS = @xml_LIBS@
 
 @USE_ATTR_SQL_TRUE@AM_CPPFLAGS = \
 @USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libstrongswan \
-@USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libhydra \
 @USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libcharon \
 @USE_ATTR_SQL_TRUE@	-DPLUGINS=\""${pool_plugins}\""
 
 @USE_ATTR_SQL_TRUE@pool_LDADD = \
 @USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la \
 @USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libcharon/libcharon.la
 
 templatesdir = $(pkgdatadir)/templates/database/sql
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index a02db98f2..2ab3cbf3d 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -385,6 +385,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index b3beb1b68..13116723b 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -6,7 +6,6 @@ scepclient.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 	-DPLUGINS=\""${scepclient_plugins}\""
 
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index bcc70cb1b..141db6993 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -412,6 +412,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -430,7 +432,6 @@ scepclient.c scep.c scep.h
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 	-DPLUGINS=\""${scepclient_plugins}\""
 
diff --git a/src/starter/Android.mk b/src/starter/Android.mk
index 8c5d1a92f..e882cc7e2 100644
--- a/src/starter/Android.mk
+++ b/src/starter/Android.mk
@@ -14,7 +14,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(starter_SOURCES))
 # build starter ----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan \
 	$(strongswan_PATH)/src/starter \
 	$(strongswan_PATH)/src/stroke
@@ -33,7 +32,7 @@ LOCAL_PRELINK_MODULE := false
 
 LOCAL_REQUIRED_MODULES := stroke
 
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
+LOCAL_SHARED_LIBRARIES += libstrongswan
 
 include $(BUILD_EXECUTABLE)
 
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 7f5d1ca5b..8341ca3ee 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -15,7 +15,7 @@ parser/parser.y parser/lexer.l parser/conf_parser.c parser/conf_parser.h
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/starter \
 	-I$(top_srcdir)/src/stroke \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
@@ -32,7 +32,7 @@ AM_YFLAGS = -v -d
 
 starter_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
 	libstarter.la \
 	$(SOCKLIB) $(PTHREADLIB)
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 3166cc5d5..31e0e9d42 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -123,7 +123,7 @@ starter_OBJECTS = $(am_starter_OBJECTS)
 am__DEPENDENCIES_1 =
 starter_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la libstarter.la \
+	$(top_builddir)/src/libcharon/libcharon.la libstarter.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -457,6 +457,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -484,7 +486,7 @@ libstarter_la_SOURCES = \
 parser/parser.y parser/lexer.l parser/conf_parser.c parser/conf_parser.h
 
 AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/starter \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/starter \
 	-I$(top_srcdir)/src/stroke -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
 	-DIPSEC_EAPDIR=\"${eapdir}\" \
@@ -496,7 +498,7 @@ AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
 AM_YFLAGS = -v -d
 starter_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
 	libstarter.la \
 	$(SOCKLIB) $(PTHREADLIB)
 
diff --git a/src/starter/confread.c b/src/starter/confread.c
index c3a0ac07f..897aa423e 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -40,8 +40,8 @@
 #define SA_REPLACEMENT_RETRIES_DEFAULT   3
 #define SA_REPLAY_WINDOW_DEFAULT        -1 /* use charon.replay_window */
 
-static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
-static const char esp_defaults[] = "aes128-sha1,3des-sha1";
+static const char ike_defaults[] = "aes128-sha256-modp3072";
+static const char esp_defaults[] = "aes128-sha256";
 
 static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
 
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 3eb6973a1..b150d3e80 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -17,7 +17,6 @@
 #include <stdlib.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <utils/debug.h>
 
 #include "files.h"
diff --git a/src/starter/starter.c b/src/starter/starter.c
index ab1ebdd5d..45c28d3cc 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -33,7 +33,6 @@
 #include <pthread.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
 #include <utils/debug.h>
@@ -427,9 +426,6 @@ int main (int argc, char **argv)
 	library_init(NULL, "starter");
 	atexit(library_deinit);
 
-	libhydra_init();
-	atexit(libhydra_deinit);
-
 	/* parse command line */
 	for (i = 1; i < argc; i++)
 	{
diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in
index b26125501..58daacfb3 100644
--- a/src/starter/tests/Makefile.in
+++ b/src/starter/tests/Makefile.in
@@ -410,6 +410,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index c32ebf905..e7bfd9d57 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -384,6 +384,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 2dfb66d7c..6571815e5 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -279,7 +279,7 @@ static int list_flags[] = {
 	LIST_ALL
 };
 
-static int list(stroke_keyword_t kw, int utc)
+static int list(stroke_keyword_t kw, bool utc)
 {
 	stroke_msg_t *msg;
 
@@ -433,9 +433,9 @@ static int usage(char *error)
 	fprintf(out, "  Show extended status information without blocking:\n");
 	fprintf(out, "    stroke statusall-nb\n");
 	fprintf(out, "  Show list of authority and attribute certificates:\n");
-	fprintf(out, "    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
+	fprintf(out, "    stroke listcacerts|listocspcerts|listaacerts|listacerts [--utc]\n");
 	fprintf(out, "  Show list of end entity certificates, ca info records  and crls:\n");
-	fprintf(out, "    stroke listcerts|listcainfos|listcrls|listall\n");
+	fprintf(out, "    stroke listcerts|listcainfos|listcrls|listall [--utc]\n");
 	fprintf(out, "  Show list of supported algorithms:\n");
 	fprintf(out, "    stroke listalgs\n");
 	fprintf(out, "  Reload authority and attribute certificates:\n");
@@ -478,6 +478,7 @@ int main(int argc, char *argv[])
 {
 	const stroke_token_t *token;
 	char *cmd;
+	bool utc = FALSE;
 	int res = 0;
 
 	library_init(NULL, "stroke");
@@ -487,6 +488,7 @@ int main(int argc, char *argv[])
 	{
 		struct option long_opts[] = {
 			{"help",		no_argument,		NULL,	'h' },
+			{"utc",			no_argument,		NULL,	'u' },
 			{"daemon",		required_argument,	NULL,	'd' },
 			{0,0,0,0},
 		};
@@ -499,6 +501,9 @@ int main(int argc, char *argv[])
 			case 'd':
 				daemon_name = optarg;
 				continue;
+			case 'u':
+				utc = TRUE;
+				continue;
 			default:
 				return usage("invalid option");
 		}
@@ -611,7 +616,7 @@ int main(int argc, char *argv[])
 		case STROKE_LIST_ALGS:
 		case STROKE_LIST_PLUGINS:
 		case STROKE_LIST_ALL:
-			res = list(token->kw, argc && streq(argv[0], "--utc"));
+			res = list(token->kw, utc);
 			break;
 		case STROKE_REREAD_SECRETS:
 		case STROKE_REREAD_CACERTS:
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index 703e5746a..fb027149a 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -4,6 +4,7 @@ swanctl_SOURCES = \
 	command.c command.h \
 	commands/initiate.c \
 	commands/terminate.c \
+	commands/redirect.c \
 	commands/install.c \
 	commands/list_sas.c \
 	commands/list_pols.c \
@@ -11,6 +12,7 @@ swanctl_SOURCES = \
 	commands/list_conns.c \
 	commands/list_certs.c \
 	commands/list_pools.c \
+	commands/list_algs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
@@ -24,7 +26,8 @@ swanctl_SOURCES = \
 
 swanctl_LDADD = \
 	$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(PTHREADLIB) $(DLLIB)
 
 swanctl.o :		$(top_builddir)/config.status
 
@@ -62,10 +65,13 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
+	test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
+	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
+	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
 	test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index a4d853cb1..94921af6d 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -105,20 +105,24 @@ am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" \
 PROGRAMS = $(sbin_PROGRAMS)
 am__dirstamp = $(am__leading_dot)dirstamp
 am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \
-	commands/terminate.$(OBJEXT) commands/install.$(OBJEXT) \
-	commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \
+	commands/terminate.$(OBJEXT) commands/redirect.$(OBJEXT) \
+	commands/install.$(OBJEXT) commands/list_sas.$(OBJEXT) \
+	commands/list_pols.$(OBJEXT) \
 	commands/list_authorities.$(OBJEXT) \
 	commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \
-	commands/list_pools.$(OBJEXT) commands/load_all.$(OBJEXT) \
+	commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \
+	commands/load_all.$(OBJEXT) \
 	commands/load_authorities.$(OBJEXT) \
 	commands/load_conns.$(OBJEXT) commands/load_creds.$(OBJEXT) \
 	commands/load_pools.$(OBJEXT) commands/log.$(OBJEXT) \
 	commands/version.$(OBJEXT) commands/stats.$(OBJEXT) \
 	commands/reload_settings.$(OBJEXT) swanctl.$(OBJEXT)
 swanctl_OBJECTS = $(am_swanctl_OBJECTS)
+am__DEPENDENCIES_1 =
 swanctl_DEPENDENCIES =  \
 	$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -427,6 +431,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -444,6 +450,7 @@ swanctl_SOURCES = \
 	command.c command.h \
 	commands/initiate.c \
 	commands/terminate.c \
+	commands/redirect.c \
 	commands/install.c \
 	commands/list_sas.c \
 	commands/list_pols.c \
@@ -451,6 +458,7 @@ swanctl_SOURCES = \
 	commands/list_conns.c \
 	commands/list_certs.c \
 	commands/list_pools.c \
+	commands/list_algs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
@@ -464,7 +472,8 @@ swanctl_SOURCES = \
 
 swanctl_LDADD = \
 	$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(PTHREADLIB) $(DLLIB)
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
@@ -579,6 +588,8 @@ commands/initiate.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/terminate.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
+commands/redirect.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
 commands/install.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/list_sas.$(OBJEXT): commands/$(am__dirstamp) \
@@ -593,6 +604,8 @@ commands/list_certs.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/list_pools.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
+commands/list_algs.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
 commands/load_all.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/load_authorities.$(OBJEXT): commands/$(am__dirstamp) \
@@ -627,6 +640,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_algs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_authorities.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_certs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_conns.Po@am__quote@
@@ -639,6 +653,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_creds.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_pools.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/log.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/redirect.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/reload_settings.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/stats.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/terminate.Po@am__quote@
@@ -1001,10 +1016,13 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
+	test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
+	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
+	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
 	test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
diff --git a/src/swanctl/command.c b/src/swanctl/command.c
index 26c41346c..fd9bc0083 100644
--- a/src/swanctl/command.c
+++ b/src/swanctl/command.c
@@ -176,6 +176,15 @@ void command_register(command_t command)
 				"uri",		'u', 1, "service URI to connect to"
 			};
 		}
+		for (i = 0; cmds[registered].line[i]; i++)
+		{
+			if (i == MAX_LINES - 1)
+			{
+				fprintf(stderr, "command '%s' specifies too many usage summary "
+						"lines, please increase MAX_LINES\n", command.cmd);
+				break;
+			}
+		}
 	}
 	registered++;
 }
@@ -217,7 +226,7 @@ int command_usage(char *error, ...)
 	}
 	else
 	{
-		for (i = 0; cmds[active].line[i]; i++)
+		for (i = 0; i < MAX_LINES && cmds[active].line[i]; i++)
 		{
 			if (i == 0)
 			{
diff --git a/src/swanctl/command.h b/src/swanctl/command.h
index 0760d1384..8d0a2e6b9 100644
--- a/src/swanctl/command.h
+++ b/src/swanctl/command.h
@@ -27,12 +27,12 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 21
+#define MAX_COMMANDS 23
 
 /**
  * Maximum number of options in a command (+3)
  */
-#define MAX_OPTIONS 32
+#define MAX_OPTIONS 34
 
 /**
  * Maximum number of usage summary lines (+1)
diff --git a/src/swanctl/commands/list_algs.c b/src/swanctl/commands/list_algs.c
new file mode 100644
index 000000000..616e6ff75
--- /dev/null
+++ b/src/swanctl/commands/list_algs.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "command.h"
+
+#include <errno.h>
+
+CALLBACK(algs, int,
+	void *null, vici_res_t *res, char *name, void *value, int len)
+{
+	if (chunk_printable(chunk_create(value, len), NULL, ' '))
+	{
+		printf("  %s[%.*s]\n", name, len, value);
+	}
+	return 0;
+}
+
+CALLBACK(types, int,
+	void *null, vici_res_t *res, char *name)
+{
+	printf("%s:\n", name);
+	return vici_parse_cb(res, NULL, algs, NULL, NULL);
+}
+
+static int algorithms(vici_conn_t *conn)
+{
+	vici_req_t *req;
+	vici_res_t *res;
+	char *arg;
+	command_format_options_t format = COMMAND_FORMAT_NONE;
+	int ret;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 'P':
+				format |= COMMAND_FORMAT_PRETTY;
+				/* fall through to raw */
+			case 'r':
+				format |= COMMAND_FORMAT_RAW;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --list-algs option");
+		}
+		break;
+	}
+
+	req = vici_begin("get-algorithms");
+	res = vici_submit(req, conn);
+	if (!res)
+	{
+		ret = errno;
+		fprintf(stderr, "get-algorithms request failed: %s\n", strerror(errno));
+		return ret;
+	}
+	if (format & COMMAND_FORMAT_RAW)
+	{
+		vici_dump(res, "get-algorithms reply", format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+	}
+	else
+	{
+		if (vici_parse_cb(res, types, NULL, NULL, NULL) != 0)
+		{
+			fprintf(stderr, "parsing get-algorithms reply failed: %s\n",
+					strerror(errno));
+		}
+	}
+	vici_free_res(res);
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		algorithms, 'g', "list-algs", "show loaded algorithms",
+		{"[--raw|--pretty]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"raw",			'r', 0, "dump raw response message"},
+			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+		}
+	});
+}
diff --git a/src/swanctl/commands/list_certs.c b/src/swanctl/commands/list_certs.c
index 167f8d848..e9c964771 100644
--- a/src/swanctl/commands/list_certs.c
+++ b/src/swanctl/commands/list_certs.c
@@ -24,14 +24,17 @@
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 #include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
+#include <credentials/certificates/certificate_printer.h>
 #include <selectors/traffic_selector.h>
 
 #include "command.h"
 
 /**
+ * Static certificate printer object
+ */
+static certificate_printer_t *cert_printer = NULL;
+
+/**
  * Print PEM encoding of a certificate
  */
 static void print_pem(certificate_t *cert)
@@ -49,541 +52,99 @@ static void print_pem(certificate_t *cert)
 	}
 }
 
-/**
- * Print public key information
- */
-static void print_pubkey(public_key_t *key, bool has_privkey)
-{
-	chunk_t chunk;
-
-	printf("pubkey:    %N %d bits", key_type_names, key->get_type(key),
-		   key->get_keysize(key));
-	if (has_privkey)
-	{
-		printf(", has private key");
-	}
-	printf("\n");
-	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
-	{
-		printf("keyid:     %#B\n", &chunk);
-	}
-	if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
-	{
-		printf("subjkey:   %#B\n", &chunk);
-	}
-}
-
-/**
- * Print X509 specific certificate information
- */
-static void print_x509(x509_t *x509)
+CALLBACK(list_cb, void,
+	command_format_options_t *format, char *name, vici_res_t *res)
 {
-	enumerator_t *enumerator;
-	identification_t *id;
-	traffic_selector_t *block;
-	chunk_t chunk;
-	bool first;
-	char *uri;
-	int len, explicit, inhibit;
-	x509_flag_t flags;
-	x509_cdp_t *cdp;
-	x509_cert_policy_t *policy;
-	x509_policy_mapping_t *mapping;
-
-	chunk = chunk_skip_zero(x509->get_serial(x509));
-	printf("serial:    %#B\n", &chunk);
-
-	first = TRUE;
-	enumerator = x509->create_subjectAltName_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("altNames:  ");
-			first = FALSE;
-		}
-		else
-		{
-			printf(", ");
-		}
-		printf("%Y", id);
-	}
-	if (!first)
-	{
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	flags = x509->get_flags(x509);
-	printf("flags:     ");
-	if (flags & X509_CA)
-	{
-		printf("CA ");
-	}
-	if (flags & X509_CRL_SIGN)
-	{
-		printf("CRLSign ");
-	}
-	if (flags & X509_AA)
-	{
-		printf("AA ");
-	}
-	if (flags & X509_OCSP_SIGNER)
-	{
-		printf("OCSP ");
-	}
-	if (flags & X509_AA)
-	{
-		printf("AA ");
-	}
-	if (flags & X509_SERVER_AUTH)
-	{
-		printf("serverAuth ");
-	}
-	if (flags & X509_CLIENT_AUTH)
-	{
-		printf("clientAuth ");
-	}
-	if (flags & X509_IKE_INTERMEDIATE)
-	{
-		printf("iKEIntermediate ");
-	}
-	if (flags & X509_SELF_SIGNED)
-	{
-		printf("self-signed ");
-	}
-	printf("\n");
-
-	first = TRUE;
-	enumerator = x509->create_crl_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &cdp))
-	{
-		if (first)
-		{
-			printf("CRL URIs:  %s", cdp->uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s", cdp->uri);
-		}
-		if (cdp->issuer)
-		{
-			printf(" (CRL issuer: %Y)", cdp->issuer);
-		}
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_ocsp_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &uri))
-	{
-		if (first)
-		{
-			printf("OCSP URIs: %s\n", uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s\n", uri);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	len = x509->get_constraint(x509, X509_PATH_LEN);
-	if (len != X509_NO_CONSTRAINT)
-	{
-		printf("pathlen:   %d\n", len);
-	}
-
-	first = TRUE;
-	enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("Permitted NameConstraints:\n");
-			first = FALSE;
-		}
-		printf("           %Y\n", id);
-	}
-	enumerator->destroy(enumerator);
-	first = TRUE;
-	enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("Excluded NameConstraints:\n");
-			first = FALSE;
-		}
-		printf("           %Y\n", id);
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_cert_policy_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &policy))
-	{
-		char *oid;
-
-		if (first)
-		{
-			printf("CertificatePolicies:\n");
-			first = FALSE;
-		}
-		oid = asn1_oid_to_string(policy->oid);
-		if (oid)
-		{
-			printf("           %s\n", oid);
-			free(oid);
-		}
-		else
-		{
-			printf("           %#B\n", &policy->oid);
-		}
-		if (policy->cps_uri)
-		{
-			printf("             CPS: %s\n", policy->cps_uri);
-		}
-		if (policy->unotice_text)
-		{
-			printf("             Notice: %s\n", policy->unotice_text);
-
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_policy_mapping_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &mapping))
-	{
-		char *issuer_oid, *subject_oid;
-
-		if (first)
-		{
-			printf("PolicyMappings:\n");
-			first = FALSE;
-		}
-		issuer_oid = asn1_oid_to_string(mapping->issuer);
-		subject_oid = asn1_oid_to_string(mapping->subject);
-		printf("           %s => %s\n", issuer_oid, subject_oid);
-		free(issuer_oid);
-		free(subject_oid);
-	}
-	enumerator->destroy(enumerator);
-
-	explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
-	inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
-	len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+	certificate_t *cert;
+	certificate_type_t type;
+	x509_flag_t flag = X509_NONE;
+	identification_t *subject = NULL;
+	time_t not_before = UNDEFINED_TIME;
+	time_t not_after  = UNDEFINED_TIME;
+	chunk_t t_ch;
+	bool has_privkey;
+	char *str;
+	void *buf;
+	int len;
 
-	if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
-		len != X509_NO_CONSTRAINT)
+	if (*format & COMMAND_FORMAT_RAW)
 	{
-		printf("PolicyConstraints:\n");
-		if (explicit != X509_NO_CONSTRAINT)
-		{
-			printf("           requireExplicitPolicy: %d\n", explicit);
-		}
-		if (inhibit != X509_NO_CONSTRAINT)
-		{
-			printf("           inhibitPolicyMapping: %d\n", inhibit);
-		}
-		if (len != X509_NO_CONSTRAINT)
-		{
-			printf("           inhibitAnyPolicy: %d\n", len);
-		}
+		vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+		return;
 	}
 
-	chunk = x509->get_authKeyIdentifier(x509);
-	if (chunk.ptr)
+	buf = vici_find(res, &len, "data");
+	if (!buf)
 	{
-		printf("authkeyId: %#B\n", &chunk);
+		fprintf(stderr, "received incomplete certificate data\n");
+		return;
 	}
+	has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
 
-	chunk = x509->get_subjectKeyIdentifier(x509);
-	if (chunk.ptr)
+	str = vici_find_str(res, "ANY", "type");
+	if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
 	{
-		printf("subjkeyId: %#B\n", &chunk);
+		fprintf(stderr, "unsupported certificate type '%s'\n", str);
+		return;
 	}
-	if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+	if (type == CERT_X509)
 	{
-		first = TRUE;
-		printf("addresses: ");
-		enumerator = x509->create_ipAddrBlock_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &block))
+		str = vici_find_str(res, "ANY", "flag");
+		if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
 		{
-			if (first)
-			{
-				first = FALSE;
-			}
-			else
-			{
-				printf(", ");
-			}
-			printf("%R", block);
+			fprintf(stderr, "unsupported certificate flag '%s'\n", str);
+			return;
 		}
-		enumerator->destroy(enumerator);
-		printf("\n");
 	}
-}
-
-/**
- * Print CRL specific information
- */
-static void print_crl(crl_t *crl)
-{
-	enumerator_t *enumerator;
-	time_t ts;
-	crl_reason_t reason;
-	chunk_t chunk;
-	int count = 0;
-	bool first;
-	char buf[64];
-	struct tm tm;
-	x509_cdp_t *cdp;
-
-	chunk = chunk_skip_zero(crl->get_serial(crl));
-	printf("serial:    %#B\n", &chunk);
-
-	if (crl->is_delta_crl(crl, &chunk))
-	{
-		chunk = chunk_skip_zero(chunk);
-		printf("delta CRL: for serial %#B\n", &chunk);
-	}
-	chunk = crl->get_authKeyIdentifier(crl);
-	printf("authKeyId: %#B\n", &chunk);
-
-	first = TRUE;
-	enumerator = crl->create_delta_crl_uri_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &cdp))
+	if (type == CERT_TRUSTED_PUBKEY)
 	{
-		if (first)
+		str = vici_find_str(res, NULL, "subject");
+		if (str)
 		{
-			printf("freshest:  %s", cdp->uri);
-			first = FALSE;
+			subject = identification_create_from_string(str);
 		}
-		else
+		str = vici_find_str(res, NULL, "not-before");
+		if (str)
 		{
-			printf("           %s", cdp->uri);
+			t_ch = chunk_from_str(str);
+			not_before = asn1_to_time(&t_ch, ASN1_GENERALIZEDTIME);
 		}
-		if (cdp->issuer)
+		str = vici_find_str(res, NULL, "not-after");
+		if (str)
 		{
-			printf(" (CRL issuer: %Y)", cdp->issuer);
+			t_ch = chunk_from_str(str);
+			not_after = asn1_to_time(&t_ch, ASN1_GENERALIZEDTIME);
 		}
-		printf("\n");
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+								  BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
+								  BUILD_NOT_BEFORE_TIME, not_before,
+								  BUILD_NOT_AFTER_TIME, not_after,
+								  BUILD_SUBJECT, subject, BUILD_END);
+		DESTROY_IF(subject);
 	}
-	enumerator->destroy(enumerator);
-
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-	{
-		count++;
-	}
-	enumerator->destroy(enumerator);
-
-	printf("%d revoked certificate%s%s\n", count,
-		   count == 1 ? "" : "s", count ? ":" : "");
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-	{
-		chunk = chunk_skip_zero(chunk);
-		localtime_r(&ts, &tm);
-		strftime(buf, sizeof(buf), "%F %T", &tm);
-		printf("    %#B: %s, %N\n", &chunk, buf, crl_reason_names, reason);
-		count++;
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Print AC specific information
- */
-static void print_ac(ac_t *ac)
-{
-	ac_group_type_t type;
-	identification_t *id;
-	enumerator_t *groups;
-	chunk_t chunk;
-	bool first = TRUE;
-
-	chunk = chunk_skip_zero(ac->get_serial(ac));
-	printf("serial:    %#B\n", &chunk);
-
-	id = ac->get_holderIssuer(ac);
-	if (id)
-	{
-		printf("hissuer:  \"%Y\"\n", id);
-	}
-	chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-	if (chunk.ptr)
+	else
 	{
-		printf("hserial:   %#B\n", &chunk);
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+								  BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
+								  BUILD_END);
 	}
-	groups = ac->create_group_enumerator(ac);
-	while (groups->enumerate(groups, &type, &chunk))
+	if (cert)
 	{
-		int oid;
-		char *str;
-
-		if (first)
+		if (*format & COMMAND_FORMAT_PEM)
 		{
-			printf("groups:    ");
-			first = FALSE;
+			print_pem(cert);
 		}
 		else
 		{
-			printf("           ");
-		}
-		switch (type)
-		{
-			case AC_GROUP_TYPE_STRING:
-				printf("%.*s", (int)chunk.len, chunk.ptr);
-				break;
-			case AC_GROUP_TYPE_OID:
-				oid = asn1_known_oid(chunk);
-				if (oid == OID_UNKNOWN)
-				{
-					str = asn1_oid_to_string(chunk);
-					if (str)
-					{
-						printf("%s", str);
-						free(str);
-					}
-					else
-					{
-						printf("OID:%#B", &chunk);
-					}
-				}
-				else
-				{
-					printf("%s", oid_names[oid].name);
-				}
-				break;
-			case AC_GROUP_TYPE_OCTETS:
-				printf("%#B", &chunk);
-				break;
+			cert_printer->print_caption(cert_printer, type, flag);
+			cert_printer->print(cert_printer, cert, has_privkey);
 		}
-		printf("\n");
-	}
-	groups->destroy(groups);
-
-	chunk = ac->get_authKeyIdentifier(ac);
-	if (chunk.ptr)
-	{
-		printf("authkey:  %#B\n", &chunk);
-	}
-}
-
-/**
- * Print certificate information
- */
-static void print_cert(certificate_t *cert, bool has_privkey)
-{
-	time_t now, notAfter, notBefore;
-	public_key_t *key;
-
-	now = time(NULL);
-
-	printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
-	if (cert->get_type(cert) != CERT_X509_CRL)
-	{
-		printf("subject:  \"%Y\"\n", cert->get_subject(cert));
-	}
-	printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-	cert->get_validity(cert, &now, &notBefore, &notAfter);
-	printf("validity:  not before %T, ", &notBefore, FALSE);
-	if (now < notBefore)
-	{
-		printf("not valid yet (valid in %V)\n", &now, &notBefore);
+		cert->destroy(cert);
 	}
 	else
 	{
-		printf("ok\n");
-	}
-	printf("           not after  %T, ", &notAfter, FALSE);
-	if (now > notAfter)
-	{
-		printf("expired (%V ago)\n", &now, &notAfter);
-	}
-	else
-	{
-		printf("ok (expires in %V)\n", &now, &notAfter);
-	}
-
-	switch (cert->get_type(cert))
-	{
-		case CERT_X509:
-			print_x509((x509_t*)cert);
-			break;
-		case CERT_X509_CRL:
-			print_crl((crl_t*)cert);
-			break;
-		case CERT_X509_AC:
-			print_ac((ac_t*)cert);
-			break;
-		default:
-			fprintf(stderr, "parsing certificate subtype %N not implemented\n",
-					certificate_type_names, cert->get_type(cert));
-			break;
-	}
-	key = cert->get_public_key(cert);
-	if (key)
-	{
-		print_pubkey(key, has_privkey);
-		key->destroy(key);
-	}
-	printf("\n");
-}
-
-CALLBACK(list_cb, void,
-	command_format_options_t *format, char *name, vici_res_t *res)
-{
-	if (*format & COMMAND_FORMAT_RAW)
-	{
-		vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY,
-				  stdout);
-	}
-	else
-	{
-		certificate_type_t type;
-		certificate_t *cert;
-		void *buf;
-		int len;
-		bool has_privkey;
-
-		buf = vici_find(res, &len, "data");
-		has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
-		if (enum_from_name(certificate_type_names,
-						   vici_find_str(res, "ANY", "type"), &type) &&
-			type != CERT_ANY && buf)
-		{
-			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
-									BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
-									BUILD_END);
-			if (cert)
-			{
-				if (*format & COMMAND_FORMAT_PEM)
-				{
-					print_pem(cert);
-				}
-				else
-				{
-					print_cert(cert, has_privkey);
-				}
-				cert->destroy(cert);
-			}
-			else
-			{
-				fprintf(stderr, "parsing certificate failed\n");
-			}
-		}
-		else
-		{
-			fprintf(stderr, "received incomplete certificate data\n");
-		}
+		fprintf(stderr, "parsing certificate failed\n");
 	}
 }
 
@@ -592,7 +153,8 @@ static int list_certs(vici_conn_t *conn)
 	vici_req_t *req;
 	vici_res_t *res;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
-	char *arg, *subject = NULL, *type = NULL;
+	char *arg, *subject = NULL, *type = NULL, *flag = NULL;
+	bool detailed = TRUE, utc = FALSE;
 	int ret;
 
 	while (TRUE)
@@ -607,6 +169,9 @@ static int list_certs(vici_conn_t *conn)
 			case 't':
 				type = arg;
 				continue;
+			case 'f':
+				flag = arg;
+				continue;
 			case 'p':
 				format |= COMMAND_FORMAT_PEM;
 				continue;
@@ -616,6 +181,12 @@ static int list_certs(vici_conn_t *conn)
 			case 'r':
 				format |= COMMAND_FORMAT_RAW;
 				continue;
+			case 'S':
+				detailed = FALSE;
+				continue;
+			case 'U':
+				utc = TRUE;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -631,19 +202,28 @@ static int list_certs(vici_conn_t *conn)
 		return ret;
 	}
 	req = vici_begin("list-certs");
+
 	if (type)
 	{
 		vici_add_key_valuef(req, "type", "%s", type);
 	}
+	if (flag)
+	{
+		vici_add_key_valuef(req, "flag", "%s", flag);
+	}
 	if (subject)
 	{
 		vici_add_key_valuef(req, "subject", "%s", subject);
 	}
+	cert_printer = certificate_printer_create(stdout, detailed, utc);
+
 	res = vici_submit(req, conn);
 	if (!res)
 	{
 		ret = errno;
 		fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
+		cert_printer->destroy(cert_printer);
+		cert_printer = NULL;
 		return ret;
 	}
 	if (format & COMMAND_FORMAT_RAW)
@@ -652,6 +232,9 @@ static int list_certs(vici_conn_t *conn)
 				  stdout);
 	}
 	vici_free_res(res);
+
+	cert_printer->destroy(cert_printer);
+	cert_printer = NULL;
 	return 0;
 }
 
@@ -662,15 +245,19 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		list_certs, 'x', "list-certs", "list stored certificates",
-		{"[--subject <dn/san>] [--type X509|X509_AC|X509_CRL] [--pem] "
-		 "[--raw|--pretty]"},
+		{"[--subject <dn/san>] [--pem]",
+		 "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]",
+		 "[--flag none|ca|aa|ocsp|any] [--raw|--pretty|--short|--utc]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"subject",		's', 1, "filter by certificate subject"},
 			{"type",		't', 1, "filter by certificate type"},
+			{"flag",		'f', 1, "filter by X.509 certificate flag"},
 			{"pem",			'p', 0, "print PEM encoding of certificate"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+			{"short",		'S', 0, "omit some certificate details"},
+			{"utc",			'U', 0, "use UTC for time fields"},
 		}
 	});
 }
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index 93dd7ed85..fd080227d 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -198,16 +201,18 @@ CALLBACK(ike_sa, int,
 			ike->get(ike, "state"), ike->get(ike, "version"),
 			ike->get(ike, "initiator-spi"), ike->get(ike, "responder-spi"));
 
-		printf("  local  '%s' @ %s",
-			ike->get(ike, "local-id"), ike->get(ike, "local-host"));
+		printf("  local  '%s' @ %s[%s]",
+			ike->get(ike, "local-id"), ike->get(ike, "local-host"),
+			ike->get(ike, "local-port"));
 		if (ike->get(ike, "local-vips"))
 		{
 			printf(" [%s]", ike->get(ike, "local-vips"));
 		}
 		printf("\n");
 
-		printf("  remote '%s' @ %s",
-			ike->get(ike, "remote-id"), ike->get(ike, "remote-host"));
+		printf("  remote '%s' @ %s[%s]",
+			ike->get(ike, "remote-id"), ike->get(ike, "remote-host"),
+			ike->get(ike, "remote-port"));
 		if (ike->get(ike, "remote-eap-id"))
 		{
 			printf(" EAP: '%s'", ike->get(ike, "remote-eap-id"));
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index 6ee8b8785..bbc700d5c 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -59,6 +59,7 @@ static bool is_file_list_key(char *key)
 	char *keys[] = {
 		"certs",
 		"cacerts",
+		"pubkeys"
 	};
 	int i;
 
@@ -112,12 +113,18 @@ static bool add_file_list_key(vici_req_t *req, char *key, char *value)
 						 SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token);
 				token = buf;
 			}
-			if (streq(key, "cacerts"))
+			else if (streq(key, "cacerts"))
 			{
 				snprintf(buf, sizeof(buf), "%s%s%s",
 						 SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token);
 				token = buf;
 			}
+			else if (streq(key, "pubkeys"))
+			{
+				snprintf(buf, sizeof(buf), "%s%s%s",
+						 SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token);
+				token = buf;
+			}
 		}
 
 		map = chunk_map(token, FALSE);
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index d2ebc22eb..4647934f7 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -27,11 +30,14 @@
 #include <credentials/sets/callback_cred.h>
 #include <credentials/containers/pkcs12.h>
 
+#include <vici_cert_info.h>
+
 /**
  * Load a single certificate over vici
  */
 static bool load_cert(vici_conn_t *conn, command_format_options_t format,
-					  char *dir, char *type, chunk_t data)
+					  char *dir, certificate_type_t type, x509_flag_t flag,
+					  chunk_t data)
 {
 	vici_req_t *req;
 	vici_res_t *res;
@@ -39,7 +45,11 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
 
 	req = vici_begin("load-cert");
 
-	vici_add_key_valuef(req, "type", "%s", type);
+	vici_add_key_valuef(req, "type", "%N", certificate_type_names, type);
+	if (type == CERT_X509)
+	{
+		vici_add_key_valuef(req, "flag", "%N", x509_flag_names, flag);
+	}
 	vici_add_key_value(req, "data", data.ptr, data.len);
 
 	res = vici_submit(req, conn);
@@ -61,7 +71,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
 	}
 	else
 	{
-		printf("loaded %s certificate from '%s'\n", type, dir);
+		printf("loaded certificate from '%s'\n", dir);
 	}
 	vici_free_res(res);
 	return ret;
@@ -71,13 +81,17 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
  * Load certficiates from a directory
  */
 static void load_certs(vici_conn_t *conn, command_format_options_t format,
-					   char *type, char *dir)
+					   char *type_str, char *dir)
 {
 	enumerator_t *enumerator;
+	certificate_type_t type;
+	x509_flag_t flag;
 	struct stat st;
 	chunk_t *map;
 	char *path;
 
+	vici_cert_info_from_str(type_str, &type, &flag);
+
 	enumerator = enumerator_create_directory(dir);
 	if (enumerator)
 	{
@@ -88,7 +102,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format,
 				map = chunk_map(path, FALSE);
 				if (map)
 				{
-					load_cert(conn, format, path, type, *map);
+					load_cert(conn, format, path, type, flag, *map);
 					chunk_unmap(map);
 				}
 				else
@@ -171,6 +185,9 @@ static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
 		case KEY_ECDSA:
 			loaded = load_key(conn, format, path, "ecdsa", encoding);
 			break;
+		case KEY_BLISS:
+			loaded = load_key(conn, format, path, "bliss", encoding);
+			break;
 		default:
 			fprintf(stderr, "unsupported key type in '%s'\n", path);
 			break;
@@ -237,6 +254,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
 		{ "pkcs8",			CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "rsa",			CRED_PRIVATE_KEY,		KEY_RSA,			},
 		{ "ecdsa",			CRED_PRIVATE_KEY,		KEY_ECDSA,			},
+		{ "bliss",			CRED_PRIVATE_KEY,		KEY_BLISS,			},
 		{ "pkcs12",			CRED_CONTAINER,			CONTAINER_PKCS12,	},
 	};
 	int i;
@@ -439,7 +457,8 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
 		loaded = FALSE;
 		if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
 		{
-			loaded = load_cert(conn, format, path, "x509", encoding);
+			loaded = load_cert(conn, format, path, CERT_X509, X509_NONE,
+							   encoding);
 			if (loaded)
 			{
 				fprintf(stderr, "  %Y\n", cert->get_subject(cert));
@@ -548,6 +567,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
 		"ike",
 		"rsa",
 		"ecdsa",
+		"bliss",
 		"pkcs8",
 		"pkcs12",
 	};
@@ -672,14 +692,17 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
 		}
 	}
 
-	load_certs(conn, format, "x509", SWANCTL_X509DIR);
-	load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
-	load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
-	load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
-	load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
+	load_certs(conn, format, "x509",     SWANCTL_X509DIR);
+	load_certs(conn, format, "x509ca",   SWANCTL_X509CADIR);
+	load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
+	load_certs(conn, format, "x509aa",   SWANCTL_X509AADIR);
+	load_certs(conn, format, "x509ac",   SWANCTL_X509ACDIR);
+	load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
+	load_certs(conn, format, "pubkey",   SWANCTL_PUBKEYDIR);
 
-	load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
+	load_keys(conn, format, noprompt, cfg, "rsa",   SWANCTL_RSADIR);
 	load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
+	load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
 	load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
 
 	load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
diff --git a/src/swanctl/commands/redirect.c b/src/swanctl/commands/redirect.c
new file mode 100644
index 000000000..6edb936e6
--- /dev/null
+++ b/src/swanctl/commands/redirect.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "command.h"
+
+#include <errno.h>
+
+static int redirect(vici_conn_t *conn)
+{
+	vici_req_t *req;
+	vici_res_t *res;
+	command_format_options_t format = COMMAND_FORMAT_NONE;
+	char *arg, *peer_ip = NULL, *peer_id = NULL, *ike = NULL, *gateway = NULL;
+	int ret = 0, ike_id = 0;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 'P':
+				format |= COMMAND_FORMAT_PRETTY;
+				/* fall through to raw */
+			case 'r':
+				format |= COMMAND_FORMAT_RAW;
+				continue;
+			case 'i':
+				ike = arg;
+				continue;
+			case 'I':
+				ike_id = atoi(arg);
+				continue;
+			case 'p':
+				peer_ip = arg;
+				continue;
+			case 'd':
+				peer_id = arg;
+				continue;
+			case 'g':
+				gateway = arg;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --redirect option");
+		}
+		break;
+	}
+	req = vici_begin("redirect");
+	if (ike)
+	{
+		vici_add_key_valuef(req, "ike", "%s", ike);
+	}
+	if (ike_id)
+	{
+		vici_add_key_valuef(req, "ike-id", "%d", ike_id);
+	}
+	if (peer_ip)
+	{
+		vici_add_key_valuef(req, "peer-ip", "%s", peer_ip);
+	}
+	if (peer_id)
+	{
+		vici_add_key_valuef(req, "peer-id", "%s", peer_id);
+	}
+	if (gateway)
+	{
+		vici_add_key_valuef(req, "gateway", "%s", gateway);
+	}
+	res = vici_submit(req, conn);
+	if (!res)
+	{
+		ret = errno;
+		fprintf(stderr, "redirect request failed: %s\n", strerror(errno));
+		return ret;
+	}
+	if (format & COMMAND_FORMAT_RAW)
+	{
+		vici_dump(res, "redirect reply", format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+	}
+	else
+	{
+		if (streq(vici_find_str(res, "no", "success"), "yes"))
+		{
+			printf("redirect completed successfully\n");
+		}
+		else
+		{
+			fprintf(stderr, "redirect failed: %s\n",
+					vici_find_str(res, "", "errmsg"));
+			ret = 1;
+		}
+	}
+	vici_free_res(res);
+	return ret;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		redirect, 'd', "redirect", "redirect an IKE_SA",
+		{"--ike <name> | --ike-id <id> | --peer-ip <ip|subnet|range>",
+		 "--peer-id <id|wildcards> | --gateway <ip|fqdn> [--raw|--pretty]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"ike",			'i', 1, "redirect by IKE_SA name"},
+			{"ike-id",		'I', 1, "redirect by IKE_SA unique identifier"},
+			{"peer-ip",		'p', 1, "redirect by client IP"},
+			{"peer-id",		'd', 1, "redirect by IKE_SA name"},
+			{"gateway",		'g', 1, "target gateway (IP or FQDN)"},
+			{"raw",			'r', 0, "dump raw response message"},
+			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+		}
+	});
+}
diff --git a/src/swanctl/commands/stats.c b/src/swanctl/commands/stats.c
index a28ca83ba..e734c66ff 100644
--- a/src/swanctl/commands/stats.c
+++ b/src/swanctl/commands/stats.c
@@ -15,8 +15,17 @@
 
 #include "command.h"
 
+#include <collections/hashtable.h>
+
 #include <errno.h>
 
+CALLBACK(list, int,
+	hashtable_t *sa, vici_res_t *res, char *name, void *value, int len)
+{
+	printf(" %.*s", len, value);
+	return 0;
+}
+
 static int stats(vici_conn_t *conn)
 {
 	vici_req_t *req;
@@ -98,6 +107,9 @@ static int stats(vici_conn_t *conn)
 				vici_find_str(res, "", "mallinfo.used"),
 				vici_find_str(res, "", "mallinfo.free"));
 		}
+		printf("loaded plugins:");
+		vici_parse_cb(res, NULL, NULL, list, NULL);
+		printf("\n");
 	}
 	vici_free_res(res);
 	return 0;
diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in
index cd033f91e..a3074601e 100644
--- a/src/swanctl/swanctl.8.in
+++ b/src/swanctl/swanctl.8.in
@@ -1,4 +1,4 @@
-.TH SWANCTL 8 "2014-04-28" "@PACKAGE_VERSION@" "strongSwan"
+.TH SWANCTL 8 "2015-11-20" "@PACKAGE_VERSION@" "strongSwan"
 .SH NAME
 swanctl \- strongSwan configuration, control and monitoring command line interface.
 .SH SYNOPSIS
@@ -41,6 +41,10 @@ initiate a connection
 \-\-terminate\fR
 terminate a connection
 .TP
+.B "\-d, \-\-redirect"
+\-\-redirect\fR
+redirect an IKE_SA
+.TP
 .B "\-p, \-\-install"
 install a trap or shunt policy
 .TP
@@ -68,6 +72,9 @@ list stored certificates
 .B "\-A, \-\-list\-pools"
 list loaded pool configurations
 .TP
+.B "\-g, \-\-list\-algs"
+list loaded algorithms and their implementation
+.TP
 .B "\-q, \-\-load\-all"
 (re\-)load credentials, pools, authorities and connections
 .TP
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index c480ce174..428be91e7 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -13,7 +13,7 @@
         # Remote address(es) to use for IKE communication, comma separated.
         # remote_addrs = %any
 
-        # Local UPD port for IKE communication.
+        # Local UDP port for IKE communication.
         # local_port = 500
 
         # Remote UDP port for IKE communication.
@@ -43,7 +43,7 @@
         # Timeout for DPD checks (IKEV1 only).
         # dpd_timeout = 0s
 
-        # Use IKEv1 UDP packet fragmentation (yes, no or force).
+        # Use IKE UDP datagram fragmentation.  (yes, no or force).
         # fragmentation = no
 
         # Send certificate requests payloads (yes or no).
@@ -76,10 +76,19 @@
         # Section for a local authentication round.
         # local<suffix> {
 
+            # Optional numeric identifier by which authentication rounds are
+            # sorted.  If not specified rounds are ordered by their position in
+            # the config file/VICI message.
+            # round = 0
+
             # Comma separated list of certificate candidates to use for
             # authentication.
             # certs =
 
+            # Comma separated list of raw public key candidates to use for
+            # authentication.
+            # pubkeys =
+
             # Authentication to perform locally (pubkey, psk, xauth[-backend] or
             # eap[-method]).
             # auth = pubkey
@@ -102,6 +111,11 @@
         # Section for a remote authentication round.
         # remote<suffix> {
 
+            # Optional numeric identifier by which authentication rounds are
+            # sorted.  If not specified rounds are ordered by their position in
+            # the config file/VICI message.
+            # round = 0
+
             # IKE identity to expect for authentication round.
             # id = %any
 
@@ -115,6 +129,10 @@
             # authentication.
             # cacerts =
 
+            # Comma separated list of raw public keys to accept for
+            # authentication.
+            # pubkeys =
+
             # Certificate revocation policy, (strict, ifuri or relaxed).
             # revocation = relaxed
 
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 6e3842d8a..a5b2a731f 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -49,7 +49,7 @@ specified.
 
 .TP
 .BR connections.<conn>.local_port " [500]"
-Local UPD port for IKE communication. By default the port of the socket backend
+Local UDP port for IKE communication. By default the port of the socket backend
 is used, which is usually
 .RI "" "500" "."
 If port
@@ -62,7 +62,7 @@ use (socket\-dynamic).
 
 .TP
 .BR connections.<conn>.remote_port " [500]"
-Remote UPD port for IKE communication. If the default of port
+Remote UDP port for IKE communication. If the default of port
 .RI "" "500" ""
 is used,
 automatic IKE port floating to port 4500 is used to work around NAT issues.
@@ -152,17 +152,21 @@ option has no effect on connections using IKE2.
 
 .TP
 .BR connections.<conn>.fragmentation " [no]"
-The default of
+Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
+fragmentation).  Acceptable  values  are
+.RI "" "yes" ","
+.RI "" "force" ""
+and
 .RI "" "no" ""
-disables IKEv1 fragmentation mechanism,
-.RI "" "yes" ""
-enables it if
-support has been indicated by the peer.
+(the default).
+Fragmented IKE messages sent by a peer are always accepted irrespective of  the
+value  of  this option. If set to
+.RI "" "yes" ","
+and the peer supports it, oversized IKE
+messages will be sent in fragments.  If set  to
 .RI "" "force" ""
-enforces fragmentation if
-required even before the peer had a chance to indicate support for it.
-
-IKE fragmentation is currently not supported with IKEv2.
+(only  supported  for
+IKEv1) the initial IKE message will already be fragmented if required.
 
 .TP
 .BR connections.<conn>.send_certreq " [yes]"
@@ -311,19 +315,36 @@ unique suffix. To define a single authentication round, the suffix may be
 omitted.
 
 .TP
+.BR connections.<conn>.local<suffix>.round " [0]"
+Optional numeric identifier by which authentication rounds are sorted.  If not
+specified rounds are ordered by their position in the config file/VICI message.
+
+.TP
 .BR connections.<conn>.local<suffix>.certs " []"
 Comma separated list of certificate candidates to use for authentication. The
 certificates may use a relative path from the
 .RB "" "swanctl" ""
 .RI "" "x509" ""
-directory, or
-an absolute path.
+directory or an
+absolute path.
 
 The certificate used for authentication is selected based on the received
 certificate request payloads. If no appropriate CA can be located, the first
 certificate is used.
 
 .TP
+.BR connections.<conn>.local<suffix>.pubkeys " []"
+Comma separated list of raw public key candidates to use for authentication. The
+public keys may use a relative path from the
+.RB "" "swanctl" ""
+.RI "" "pubkey" ""
+directory or
+an absolute path.
+
+Even though multiple local public keys could be defined in principle, only the
+first public key in the list is used for authentication.
+
+.TP
 .BR connections.<conn>.local<suffix>.auth " [pubkey]"
 Authentication to perform locally.
 .RI "" "pubkey" ""
@@ -362,6 +383,31 @@ a specific EAP method name may be appended, separated by a dash. An
 EAP module implementing the appropriate method is selected to perform the EAP
 conversation.
 
+If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific
+hash algorithms to be used during IKEv2 authentication may be configured. To do
+so use
+.RI "" "ike:" ""
+followed by a trust chain signature scheme constraint (see
+description of the
+.RB "" "remote" ""
+section's
+.RB "" "auth" ""
+keyword). For example, with
+.RI "" "ike:pubkey\-sha384\-sha256" ""
+a public key signature scheme with either SHA\-384 or
+SHA\-256 would get used for authentication, in that order and depending on the
+hash algorithms supported by the peer. If no specific hash algorithms are
+configured, the default is to prefer an algorithm that matches or exceeds the
+strength of the signature key. If no constraints with
+.RI "" "ike:" ""
+prefix are
+configured any signature scheme constraint (without
+.RI "" "ike:" ""
+prefix) will also
+apply to IKEv2 authentication, unless this is disabled in
+.RB "" "strongswan.conf" "(5)."
+
+
 .TP
 .BR connections.<conn>.local<suffix>.id " []"
 IKE identity to use for authentication round. When using certificate
@@ -432,6 +478,11 @@ unique suffix. To define a single authentication round, the suffix may be
 omitted.
 
 .TP
+.BR connections.<conn>.remote<suffix>.round " [0]"
+Optional numeric identifier by which authentication rounds are sorted.  If not
+specified rounds are ordered by their position in the config file/VICI message.
+
+.TP
 .BR connections.<conn>.remote<suffix>.id " [%any]"
 IKE identity to expect for authentication round. Refer to the
 .RI "" "local" ""
@@ -451,8 +502,8 @@ Comma separated list of certificates to accept for authentication. The
 certificates may use a relative path from the
 .RB "" "swanctl" ""
 .RI "" "x509" ""
-directory, or
-an absolute path.
+directory or an
+absolute path.
 
 .TP
 .BR connections.<conn>.remote<suffix>.cacerts " []"
@@ -460,10 +511,19 @@ Comma separated list of CA certificates to accept for authentication. The
 certificates may use a relative path from the
 .RB "" "swanctl" ""
 .RI "" "x509ca" ""
-directory, or
+directory or
 an absolute path.
 
 .TP
+.BR connections.<conn>.remote<suffix>.pubkeys " []"
+Comma separated list of raw public keys to accept for authentication. The public
+keys may use a relative path from the
+.RB "" "swanctl" ""
+.RI "" "x509" ""
+directory or an
+absolute path.
+
+.TP
 .BR connections.<conn>.remote<suffix>.revocation " [relaxed]"
 Certificate revocation policy for CRL or OCSP revocation.
 
@@ -486,10 +546,40 @@ i.e. it is explicitly known that it is bad.
 .BR connections.<conn>.remote<suffix>.auth " [pubkey]"
 Authentication to expect from remote. See the
 .RB "" "local" ""
-sections
+section's
 .RB "" "auth" ""
 keyword description about the details of supported mechanisms.
 
+To require a trustchain public key strength for the remote side, specify the key
+type followed by the minimum strength in bits (for example
+.RI "" "ecdsa\-384" ""
+or
+.RI "" "rsa\-2048\-ecdsa\-256" ")."
+To limit the acceptable set of hashing algorithms for
+trustchain validation, append hash algorithms to
+.RI "" "pubkey" ""
+or a key strength
+definition (for example
+.RI "" "pubkey\-sha1\-sha256" ""
+or
+.RI "" "rsa\-2048\-ecdsa\-256\-sha256\-sha384\-sha512" ")."
+Unless disabled in
+.RB "" "strongswan.conf" "(5),"
+or explicit IKEv2 signature constraints are configured
+(refer to the description of the
+.RB "" "local" ""
+section's
+.RB "" "auth" ""
+keyword for
+details), such key types and hash algorithms are also applied as constraints
+against IKEv2 signature authentication schemes used by the remote side.
+
+To specify trust chain constraints for EAP\-(T)TLS, append a colon to the EAP
+method, followed by the key type/size and hash algorithm as discussed above
+(e.g.
+.RI "" "eap\-tls:ecdsa\-384\-sha384" ")."
+
+
 .TP
 .B connections.<conn>.children.<child>
 .br
@@ -722,8 +812,8 @@ is negotiated if the preferred mode is not available.
 .RI "" "pass" ""
 and
 .RI "" "drop" ""
-are used to install shunt policies, which explicitly bypass
-the defined traffic from IPsec processing, or drop it, respectively.
+are used to install shunt policies which explicitly bypass the
+defined traffic from IPsec processing or drop it, respectively.
 
 .TP
 .BR connections.<conn>.children.<child>.policies " [yes]"
@@ -856,7 +946,7 @@ which defines the secret type.
 
 It is not recommended to define any private key decryption passphrases, as then
 there is no real security benefit in having encrypted keys. Either store the key
-unencrypted, or enter the keys manually when loading credentials.
+unencrypted or enter the keys manually when loading credentials.
 
 .TP
 .B secrets.eap<suffix>
@@ -872,7 +962,7 @@ as well.
 Value of the EAP/XAuth secret. It may either be an ASCII string, a hex encoded
 string if it has a
 .RI "" "0x" ""
-prefix, or a Base64 encoded string if it has a
+prefix or a Base64 encoded string if it has a
 .RI "" "0s" ""
 prefix in its value.
 
@@ -907,7 +997,7 @@ prefix.
 Value of the IKE preshared secret. It may either be an ASCII string, a hex
 encoded string if it has a
 .RI "" "0x" ""
-prefix, or a Base64 encoded string if it has a
+prefix or a Base64 encoded string if it has a
 .RI "" "0s" ""
 prefix in its value.
 
@@ -1003,7 +1093,7 @@ Section defining a single pool with a unique name.
 .TP
 .BR pools.<name>.addrs " []"
 Subnet or range defining addresses allocated in pool. Accepts a single CIDR
-subnet defining the pool to allocate addresses from, or an address range
+subnet defining the pool to allocate addresses from or an address range
 (<from>\-<to>).  Pools must be unique and non\-overlapping.
 
 .TP
@@ -1042,7 +1132,8 @@ Section defining a certification authority with a unique name.
 The certificates may use a relative path from the
 .RB "" "swanctl" ""
 .RI "" "x509ca" ""
-directory, or an absolute path.
+directory
+or an absolute path.
 
 .TP
 .BR authorities.<name>.crl_uris " []"
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index cb570cd34..560e89513 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -42,6 +45,11 @@
 #define SWANCTL_X509AADIR SWANCTLDIR "/x509aa"
 
 /**
+ * Directory for X.509 OCSP Signer certs
+ */
+#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp"
+
+/**
  * Directory for X.509 CRLs
  */
 #define SWANCTL_X509CRLDIR SWANCTLDIR "/x509crl"
@@ -52,6 +60,11 @@
 #define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac"
 
 /**
+ * Directory for raw public keys
+ */
+#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
+
+/**
  * Directory for RSA private keys
  */
 #define SWANCTL_RSADIR SWANCTLDIR "/rsa"
@@ -62,6 +75,11 @@
 #define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa"
 
 /**
+ * Directory for BLISS private keys
+ */
+#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss"
+
+/**
  * Directory for PKCS#8 encoded private keys
  */
 #define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8"
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index ef38d5d86..145fab28d 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -42,9 +42,9 @@ connections.<conn>.remote_addrs = %any
 	be specified.
 
 connections.<conn>.local_port = 500
-	Local UPD port for IKE communication.
+	Local UDP port for IKE communication.
 
-	Local UPD port for IKE communication. By default the port of the socket
+	Local UDP port for IKE communication. By default the port of the socket
 	backend is used, which is usually _500_. If port _500_ is used, automatic
 	IKE port floating to port 4500 is used to work around NAT issues.
 
@@ -54,7 +54,7 @@ connections.<conn>.local_port = 500
 connections.<conn>.remote_port = 500
 	Remote UDP port for IKE communication.
 
-	Remote UPD port for IKE communication. If the default of port _500_ is used,
+	Remote UDP port for IKE communication. If the default of port _500_ is used,
 	automatic IKE port floating to port 4500 is used to work around NAT issues.
 
 connections.<conn>.proposals = default
@@ -140,14 +140,15 @@ connections.<conn>.dpd_timeout = 0s
 	specified; this option has no effect on connections using IKE2.
 
 connections.<conn>.fragmentation = no
-	Use IKEv1 UDP packet fragmentation (_yes_, _no_ or _force_).
+	Use IKE UDP datagram fragmentation.  (_yes_, _no_ or _force_).
 
-	The default of _no_ disables IKEv1 fragmentation mechanism, _yes_ enables
-	it if support has been indicated by the peer. _force_ enforces
-	fragmentation if required even before the peer had a chance to indicate
-	support for it.
-
-	IKE fragmentation is currently not supported with IKEv2.
+	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
+	fragmentation).  Acceptable  values  are _yes_, _force_ and _no_ (the
+	default). Fragmented IKE messages sent by a peer are always accepted
+	irrespective of  the  value  of  this option. If set to _yes_, and the peer
+	supports it, oversized IKE messages will be sent in fragments.  If set  to
+	_force_  (only  supported  for IKEv1) the initial IKE message will already
+	be fragmented if required.
 
 connections.<conn>.send_certreq = yes
 	Send certificate requests payloads (_yes_ or _no_).
@@ -267,17 +268,32 @@ connections.<conn>.local<suffix> {}
 	unique suffix. To define a single authentication round, the suffix may be
 	omitted.
 
+connections.<conn>.local<suffix>.round = 0
+	Optional numeric identifier by which authentication rounds are sorted.  If
+	not specified rounds are ordered by their position in the config file/VICI
+	message.
+
 connections.<conn>.local<suffix>.certs =
 	Comma separated list of certificate candidates to use for authentication.
 
 	Comma separated list of certificate candidates to use for authentication.
 	The certificates may use a relative path from the **swanctl** _x509_
-	directory, or an absolute path.
+	directory or an absolute path.
 
 	The certificate used for authentication is selected based on the received
 	certificate request payloads. If no appropriate CA can be located, the
 	first certificate is used.
 
+connections.<conn>.local<suffix>.pubkeys =
+	Comma separated list of raw public key candidates to use for authentication.
+
+	Comma separated list of raw public key candidates to use for authentication.
+	The public keys may use a relative path from the **swanctl** _pubkey_
+	directory or an absolute path.
+
+	Even though multiple local public keys could be defined in principle, only
+	the	first public key in the list is used for authentication.
+
 connections.<conn>.local<suffix>.auth = pubkey
 	Authentication to perform locally (_pubkey_, _psk_, _xauth[-backend]_ or
 	_eap[-method]_).
@@ -298,6 +314,19 @@ connections.<conn>.local<suffix>.auth = pubkey
 	An EAP module implementing the appropriate method is selected to perform
 	the EAP conversation.
 
+	If both peers support RFC 7427 ("Signature Authentication in IKEv2")
+	specific hash algorithms to be used during IKEv2 authentication may be
+	configured. To do so use _ike:_ followed by a trust chain signature scheme
+	constraint (see description of the **remote** section's **auth** keyword).
+	For example, with _ike:pubkey-sha384-sha256_ a public key signature scheme
+	with either SHA-384 or SHA-256 would get used for authentication, in that
+	order and depending on the hash algorithms supported by the peer. If no
+	specific hash algorithms are configured, the default is to prefer an
+	algorithm that matches or exceeds the strength of the signature key.
+	If no constraints with _ike:_ prefix are configured any signature scheme
+	constraint (without _ike:_ prefix) will also apply to IKEv2 authentication,
+	unless this is disabled in **strongswan.conf**(5).
+
 connections.<conn>.local<suffix>.id =
 	IKE identity to use for authentication round.
 
@@ -350,6 +379,11 @@ connections.<conn>.remote<suffix> {}
 	optional unique suffix. To define a single authentication round, the suffix
 	may be omitted.
 
+connections.<conn>.remote<suffix>.round = 0
+	Optional numeric identifier by which authentication rounds are sorted.  If
+	not specified rounds are ordered by their position in the config file/VICI
+	message.
+
 connections.<conn>.remote<suffix>.id = %any
 	IKE identity to expect for authentication round.
 
@@ -369,14 +403,21 @@ connections.<conn>.remote<suffix>.certs =
 
 	Comma separated list of certificates to accept for authentication.
 	The certificates may use a relative path from the **swanctl** _x509_
-	directory, or an absolute path.
+	directory or an absolute path.
 
 connections.<conn>.remote<suffix>.cacerts =
 	Comma separated list of CA certificates to accept for authentication.
 
 	Comma separated list of CA certificates to accept for authentication.
 	The certificates may use a relative path from the **swanctl** _x509ca_
-	directory, or an absolute path.
+	directory or an absolute path.
+
+connections.<conn>.remote<suffix>.pubkeys =
+	Comma separated list of raw public keys to accept for authentication.
+
+	Comma separated list of raw public keys to accept for authentication.
+	The public keys may use a relative path from the **swanctl** _x509_
+	directory or an absolute path.
 
 connections.<conn>.remote<suffix>.revocation = relaxed
 	Certificate revocation policy, (_strict_, _ifuri_ or _relaxed_).
@@ -397,9 +438,25 @@ connections.<conn>.remote<suffix>.auth = pubkey
 	Authentication to expect from remote (_pubkey_, _psk_, _xauth[-backend]_ or
 	_eap[-method]_).
 
-	Authentication to expect from remote. See the **local** sections **auth**
+	Authentication to expect from remote. See the **local** section's **auth**
 	keyword description about the details of supported mechanisms.
 
+	To require a trustchain public key strength for the remote side, specify the
+	key type followed by the minimum strength in bits (for example _ecdsa-384_
+	or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms
+	for trustchain validation, append hash algorithms to _pubkey_ or a key
+	strength definition (for example _pubkey-sha1-sha256_ or
+	_rsa-2048-ecdsa-256-sha256-sha384-sha512_).
+	Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature
+	constraints are configured (refer to the description of the **local**
+	section's **auth** keyword for details), such key types and hash algorithms
+	are also applied as constraints against IKEv2 signature authentication
+	schemes used by the remote side.
+
+	To specify trust chain constraints for EAP-(T)TLS, append a colon to the
+	EAP method, followed by the key type/size and hash algorithm as discussed
+	above (e.g. _eap-tls:ecdsa-384-sha384_).
+
 connections.<conn>.children.<child> {}
 	CHILD_SA configuration sub-section.
 
@@ -586,8 +643,8 @@ connections.<conn>.children.<child>.mode = tunnel
 	Both _transport_ and _beet_ modes are subject to mode negotiation; _tunnel_
 	mode is negotiated if the preferred mode is not available.
 
-	_pass_ and _drop_ are used to install shunt policies, which explicitly
-	bypass the defined traffic from IPsec processing, or drop it, respectively.
+	_pass_ and _drop_ are used to install shunt policies which explicitly
+	bypass the defined traffic from IPsec processing or drop it, respectively.
 
 connections.<conn>.children.<child>.policies = yes
 	Whether to install IPsec policies or not.
@@ -703,7 +760,7 @@ secrets { # }
 
 	It is not recommended to define any private key decryption passphrases,
 	as then there is no real security benefit in having encrypted keys. Either
-	store the key unencrypted, or enter the keys manually when loading
+	store the key unencrypted or enter the keys manually when loading
 	credentials.
 
 secrets.eap<suffix> { # }
@@ -724,7 +781,7 @@ secrets.eap<suffix>.secret =
 	Value of the EAP/XAuth secret.
 
 	Value of the EAP/XAuth secret. It may either be an ASCII string, a hex
-	encoded string if it has a _0x_ prefix, or a Base64 encoded string if it
+	encoded string if it has a _0x_ prefix or a Base64 encoded string if it
 	has a _0s_ prefix in its value.
 
 secrets.eap<suffix>.id<suffix> =
@@ -744,7 +801,7 @@ secrets.ike<suffix>.secret =
 	Value of the IKE preshared secret.
 
 	Value of the IKE preshared secret. It may either be an ASCII string,
-	a hex encoded string if it has a _0x_ prefix, or a Base64 encoded string if
+	a hex encoded string if it has a _0x_ prefix or a Base64 encoded string if
 	it has a _0s_ prefix in its value.
 
 secrets.ike<suffix>.id<suffix> =
@@ -804,7 +861,7 @@ pools.<name>.addrs =
 	Addresses allocated in pool.
 
 	Subnet or range defining addresses allocated in pool. Accepts a single CIDR
-	subnet defining the pool to allocate addresses from, or an address range
+	subnet defining the pool to allocate addresses from or an address range
 	(<from>-<to>).  Pools must be unique and non-overlapping.
 
 pools.<name>.<attr> =
@@ -827,7 +884,7 @@ authorities.<name>.cacert =
 	CA certificate belonging to the certification authority.
 
 	The certificates may use a relative path from the **swanctl** _x509ca_
-	directory, or an absolute path.
+	directory or an absolute path.
 
 authorities.<name>.crl_uris =
 	Comma-separated list of CRL distribution points